HavanaCrypt ransomware sails in as a fake Google update
Difficult to detect, hiding its window by using the ShowWindow function in Windows
A new ransomware family is being delivered as a bogus Google Software Update, using Microsoft functionality as part of its attack.
Researchers with Trend Micro say they uncovered the latest threat, dubbed "HavanaCrypt", a ransomware package that presents itself as a Google Software Update though it is a .NET-compiled application.
Several features make it difficult to detect. The malware uses Obfuscar, an open-source obfuscator in .NET that is designed to secure codes in a .NET assembly.
Once it executes, the ransomware hides its window by using the ShowWindow function in the system, giving it a parameter of 0.
"The malware also has multiple anti-virtualization techniques that help it avoid dynamic analysis when executed in a virtual machine," the researchers wrote, adding that if the ransomware finds the system is running in a VM environment, it will terminate itself.
It runs the VM check in four stages: checking for services found in VMs such as VMware Tools and vmmouse, looking for file normally related to VM applications and searching for file names used by VMs for their executables. Lastly, the malware looks at the system's MAC address and compares it to organizationally unique identifier (OUI) prefixes usually used by virtual machines.
Once it verifies that the victim's system isn't running in a VM, HavanaCrypt downloads a file from Microsoft's web hosting service IP address, saves it as a batch file and runs it. The malware terminates more than 80 processes, including those that are part of database-related applications like Microsoft SQL Server and MySQL as well as desktop software, such as Office and Steam. It then deletes shadow copies of files.
HavanaCrypt subsequently puts executable copies of itself in both the "ProgramData" and "StartUp" folders, makes them hidden system files and disables the Task Manager. The malware also uses the QueueUserWorkItem function in .NET to implement threat pooling for other payloads and encryption threads
It collects information on the system – the unique identifier (UID) – from the number of processors cores, the chip's ID and name, the motherboard manufacturer and name, the product number and the version of the BIOS. All of that is sent to the malware's control-and-command (C2) server, which is the Microsoft web hosting service IP address, another maneuver to evade detection. Using a C2 server that is part of Microsoft's web hosting services is unusual, the Trend Micro researchers wrote.
During encryption, HavanaCrypt uses the CryptoRandom function in KeePass Password Safe – an open-source password management tool used mostly for Windows – to generate random keys, appending the ".Havana" extension to the encrypted files.
"It is highly possible that the ransomware's author is planning to communicate via the Tor browser, because Tor's is among the directories that it avoids encrypting files in," the researchers wrote. "It should be noted that HavanaCrypt also encrypts the text file foo.txt and does not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase."
HavanaCrypt is feeding into the growing onslaught of ransomware families and attacks. Trend Micro in the first quarter detected and blocked more than 4.4 million ransomware threats coming through email, URLs and file layers, a 37 percent quarter-over-quarter increase, according to the cybersecurity vendor's Smart Protection Network, which collects and identifies threats.
This includes a fake Windows update distributing the Magniber ransomware – a threat that has been around since at least 2017 – and attacks that used fake Microsoft Edge and Google browser updates to push the Magnitude exploit.
- Start using Modern Auth now for Exchange Online
- We're now truly in the era of ransomware as pure extortion without the encryption
- Pentagon: We'll pay you if you can find a way to hack us
"Ransomware's pervasiveness is rooted in its being evolutionary: It employs ever-changing tactics and schemes to deceive unwitting victims and successfully infiltrate environments," they wrote in an analysis of HavanaCrypt. "For example, this year, there have been reports of ransomware being distributed as fake Windows 10, Google Chrome, and Microsoft Exchange updates to fool potential victims into downloading malicious files."
That also includes such trends as the rise in the last couple of years of the ransomware-as-a-service (RaaS) model, with code developers leasing their ransomware to other cybercriminals for use in their campaigns – for a cut of the ransom that is paid – and the adoption of double extortions, where attackers not only encrypt files but also steal them, threatening to publicly leak the data and damage the victim's reputation if the ransom isn't paid.
"Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it," Malwarebytes Lab analysts wrote in a blog post earlier this year that outlines the Magnitude attacks. "And because it's good advice that's easy to follow, cybercriminals like to use fake software updates to con users." ®