Search This Blog

HavanaCrypt Ransomware Deployed Via Fake Google Updates

The ransomware leverages Microsoft web hosting service IP address as its command-and-control server to bypass detection.


Trend Micro researchers have unearthed a new ransomware family dubbed ‘HavanaCrypt’ being deployed as a fake Google Software Update application. 

The ransomware launches multiple anti-virtualization checks and employs a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to bypass detection. HavanaCrypt also leverages a namespace method function in its execution process, a report from Trend Micro explained. 

“It disguises itself as a Google software update application and uses a Microsoft web hosting service IP address as its command-and-control server to circumvent detection,” Trend Micro said in a blog. 

The ransomware is the latest in a series of malware that poses as a legitimate application. This year alone has seen ransomware masquerading as Windows 10, Google Chrome, and Microsoft Exchange updates. 

HavanaCrypt modus operandi 

HavanaCrypt is a .NET-compiled application, that employs an open-source tool called Obfuscar to obfuscate its code. Once installed on a system, HavanaCrypt examines the AutoRun registry to see whether the "GoogleUpdate" registry is already present. If not, it continues with the routine. 

The malware then undertakes a four-stage assessment of whether the compromised device is running in a virtualized environment. 

First, it checks for services used by common virtualization applications such as VMWare Tools and vmmouse. Then it scans for files related to virtual applications, followed by a check for specific file names employed in virtual environments. Finally, it compares the machine's MAC address with unique identifier prefixes usually employed in virtual machine settings. If any of the checks show the infected machine to be in a virtual environment, the malware terminates itself. 

Additionally, the malware designs a text file that logs all the directories containing the encrypted files. The file is named foo.txt and the ransomware encrypts it as well. No ransom note is dropped. 

"It is highly possible that the ransomware's author is planning to communicate via the Tor browser because Tor is among the directories that it avoids encrypting files in. It should be noted that HavanaCrypt also encrypts the text file foo.txt and does not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase," said Bharat Mistry, technical director at Trend Micro.
Share it:

Cyber Attacks

Fake Updates


User Security

Web Servers