HavanaCrypt ransomware propagates via fake Google updates

July 19, 2022
HavanaCrypt Ransomware Fake Google Updates dot NET Malware

Sneaking malware on victims’ computers through fake Microsoft and Google software updates has been threatening for both the victims and security researchers. From a recent report about the issue, researchers have spotted a new ransomware tool dubbed HavanaCrypt disguising as a Google Software Update app.

The threat operators’ C2 server is hosted on an MS web hosting IP address, which experts found unusual for ransomware campaigns. Furthermore, the new ransomware does not drop ransom notes for the victims.

Based on the observations conducted for the new ransomware tool, researchers said it possesses various tactics to check if it has been deployed in a virtual environment. HavanaCrypt also uses codes from KeePass open-source key manager during its encryption process and uses a [.]NET function “QueueUserWorkItem” to accelerate encryption.

 

Threat operators had been actively spreading ransomware tools, like HavanaCrypt, through fake software updates, including Windows, MS Exchange, and Google Chrome.

 

For instance, another sample of a new ransomware tool was detected last May, dubbed Magniber, that disguises itself as Windows 10 updates to harm users of the Windows OS. Researchers have also seen the Magnitude Exploit Kit tricking users by masquerading Microsoft’s Edge browser updates.

As a [.]NET-based malware, HavanaCrypt initially obfuscates itself in a system and begins a routine check to see if the GoogleUpdate registry is present since it will only continue if the said registry is not present. The ransomware tool will then go through several stages to determine if the system is in a virtual environment.

Upon verifying that a system is not running virtually, HavanaCrypt would deploy a batch file containing commands for configuring Windows Defender from a remote C2 server. The ransomware tool could also stop critical processes in a system, such as desktop and database apps. The ransomware would then delete shadow copies, delete data restoration functions, and harvest system information from the computer’s processor.

People who do not recognise these harmful ransomware campaigns could be easily victimised and download malicious payloads into their machines. Thus, experts have advised organisations to be prepared with multi-layered defences to protect their environment from cyber threats.

Aside from properly implementing strong system defences against such ransomware tools, organisations must also impart knowledge to their end-users about the threats posed by cybercriminal actors.

About the author