September 26, 2022

Dyers Ville

Business and General

New ‘HavanaCrypt’ Ransomware Distributed as Fake Google

Protection scientists at Craze Micro have determined a new ransomware loved ones that is currently being delivered as a pretend Google Application Update application.

Dubbed HavanaCrypt, the ransomware performs many anti-virtualization checks and utilizes a Microsoft website hosting assistance IP handle for its command and handle (C&C) server, which lets it to evade detection.

Through their examination of HavanaCrypt, Trend Micro also identified that it employs a namespace approach operate that queues a method for execution and that it employs the modules of an open up-supply password manager all through encryption.

Compiled in .Net and guarded employing the Obfuscar open-resource obfuscator, HavanaCrypt hides its window just after execution, then checks the AutoRun registry for a “GoogleUpdate” entry and carries on with its schedule if the registry is not uncovered.

Future, it proceeds with its anti-virtualization plan, which is made up of 4 levels: initially, it checks for providers involved with virtual machines, then for information related to virtual device purposes, then for file names utilized for VM executables, and then it checks the machine’s MAC address.

Must all the checks go, the malware downloads a file named “2.txt” from a Microsoft internet hosting support IP handle, will save it as a .bat file, and executes it. The batch file incorporates directions for Home windows Defender to overlook detections in the “Windows” and “User” directories.

Up coming, the ransomware terminates a collection of functioning procedures, like individuals for database programs (Microsoft SQL Server and MySQL) and people of Microsoft Office and Steam.

Then, HavanaCrypt queries all disk drives and deletes all shadow copies, and works by using Windows Administration Instrumentation (WMI) to identify method restore instances and delete them.

Immediately after that, the ransomware drops executable copies of itself in the “ProgramData” and “StartUp” folders, sets them as concealed method documents, and drops in the “User Startup” folder a .bat file that contains a operate that disables the Activity Manager.

HavanaCrypt generates a distinctive identifier (UID) centered on technique info these kinds of as processor cores and ID, processor title, socket, motherboard manufacturer and name, BIOS variation, and solution number.

For the duration of encryption, the malware works by using the CryptoRandom purpose of KeePass Password Harmless for creating encryption keys. The threat appends the “.Havana” extension to the encrypted files, and avoids encrypting documents with sure extensions or those people in precise directories, together with that of the Tor browser, suggesting that the malware writer could possibly prepare communication about the Tor network.

The malware also creates a textual content file that logs all the directories that contains the encrypted data files. The file is named foo.txt and the ransomware encrypts it as effectively. No ransom be aware is dropped.

“This might be an sign that HavanaCrypt is nevertheless in its improvement period. Nevertheless, it is crucial to detect and block it ahead of it evolves even further and does even far more injury,” Trend Micro describes.

Related: Evasive Rust-Coded Hive Ransomware Variant Emerges

Related: Black Basta Ransomware Results in being Significant Risk in Two Months

Related: Researchers Devise Attack Using IoT and IT to Provide Ransomware Versus OT

Ionut Arghire is an global correspondent for SecurityWeek.

Prior Columns by Ionut Arghire: