"New 'HavanaCrypt' Ransomware Distributed as Fake Google Software Update"

Security researchers at Trend Micro have discovered a new ransomware family that is being delivered as a fake Google Software Update application.  The researchers dubbed the ransomware HavanaCrypt.  This ransomware performs multiple anti-virtualization checks and uses a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to evade detection.  During their analysis of HavanaCrypt, the researchers also discovered that it uses a namespace method function that queues a method for execution and that it employs the modules of an open-source password manager during encryption.  The researchers noted that HavanaCrypt is compiled in .NET and protected using the Obfuscar open-source obfuscator.  HavanaCrypt hides its window after execution, checks the AutoRun registry for a “GoogleUpdate” entry, and continues its routine if the registry is not found.  The researchers noted that next, it proceeds with its anti-virtualization routine, which consists of four stages: first, it checks for services associated with virtual machines, then for files related to virtual machine applications, then for file names used for VM executables, and then it checks the machine’s MAC address.  The researchers stated that should all the checks pass, the malware downloads a file named “2.txt” from a Microsoft web hosting service IP address, saves it as a .bat file and executes it.  The batch file contains instructions for Windows Defender to ignore detections in the “Windows” and “User” directories.

SecurityWeek reports: "New 'HavanaCrypt' Ransomware Distributed as Fake Google Software Update"