The HavanaCrypt ransomware has data exfiltration capabilities and goes to great lengths to avoid analysis. Credit: Kaptnali / Getty Images A new strain of ransomware has been making victims for the past two months, masquerading as a Google software update application and reusing an open-source password management library for encryption. Dubbed HavanaCrypt by researchers from Cybereason, the new ransomware program features anti-analysis, data exfiltration and privilege escalation mechanisms, but doesn’t seem to be dropping a traditional ransom note. HavanaCrypt deployment The researchers don’t have a lot of information about the initial access vector because the sample they analyzed was obtained from VirusTotal, a web-based file scanning service, where it was likely uploaded by a victim. What is clear is that the metadata of the malicious executable has been modified to list the publisher as Google and the application name as Google Software Update and upon execution it creates a registry autorun entry called GoogleUpdate. Based on this information, one could assume that the lure used to distribute the ransomware, either via email or the web, is centered around a fake software update. HavanaCrypt is written in the .NET programming language and uses an open-source binary code obfuscator called Obfuscar to hide function names and other details, making reverse-engineering harder. Furthermore, the authors also used their own code functions to hide strings in the binary. The malware also checks if processes typically associated with virtual machine applications are present on the system and if any are found, it checks the MAC addresses of the network card to see if they match known virtual adapters. These checks are meant to block analysis that often involves executing suspicious binaries inside virtual machines (VMs). The program also contains a mechanism that attempts to evade analysis via debuggers. It’s clear that HavanaCrypt’s creators put a lot of effort into making static and automated analysis harder. If any of these checks fail, the program will stop its execution. If the checks pass, the ransomware will download a .txt file from an IP address associated with Microsoft’s web hosting services that is actually a script to add certain directories to the scan exclusion list of Windows Defender. It then attempts to kill a long list of processes that might be running on the system. These processes are associated with popular applications including Microsoft Word, email clients, database servers, VMs, and data synchronization agents. The goal is to clear the filesystem locks set by these programs so their files can be encrypted. The ransomware also deletes all restore points and Volume Shadow copies to prevent the easy restoration of files. HavanaCrypt copies itself in the StartUp and ProgramData folders using a randomly generated 10-character name. The file is then set as “System file” and “Hidden” to prevent easy discovery since by default Windows will not show these files in its file explorer. HavanaCrypt encryption The ransomware then collects information about the infected machine that is then sent to a command-and-control (C2) server, which assigns a unique identification token to it and generates the unique keys used for encryption. The encryption routine itself is achieved by using a library associated with the open-source KeePass password manager. Using a well-tested library instead of implementing their own encryption routine allows HavanaCrypt’s creators to avoid making major mistakes that could later lead to researchers creating a free decryptor. The malware will iterate through all files, directories, drives and disks found on the system and append the .Havana extension to all encrypted files. However, there is a folder and file extension exclusion list to keep the system functional. Interestingly, even though the ransomware doesn’t seem to drop a traditional ransom note, the Tor Browser folder is present in the encryption exclusion list, which suggests the attackers intend to use Tor for data exfiltration or C2 communications. Related content news analysis Chinese threat actor engaged in multi-year DNS resolver probing effort The unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks. By Lucian Constantin Apr 30, 2024 7 mins Cyberattacks Network Security news Securiti adds distributed LLM firewalls to secure genAI applications The new offering is aimed at protecting against prompt injection, data leakage, and training data poisoning in LLM systems. By Shweta Sharma Apr 30, 2024 4 mins Generative AI news UnitedHealth hackers exploited Citrix vulnerabilities, CEO to testify In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. By Prasanth Aby Thomas Apr 30, 2024 3 mins Hacker Groups Cyberattacks Vulnerabilities opinion Close the barn door now! Avoid the risk of not monitoring retained access before it’s a problem There’s usually a strict protocol for granting access to systems or data to a new employee or contractor. But there are perils in not keeping tabs on that access as that person moves around or leaves. By Christopher Burgess Apr 30, 2024 6 mins CSO and CISO Access Control Human Resources PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe