New Ransomware Tool, HavanaCrypt, Appears as a Fake Google Software Update

Ransomware may not be a new threat for businesses, but it is constantly evolving. A new ransomware tool was discovered yesterday by Trend Micro researchers called HavanaCrypt, which appears to users as a Google software update. HavanaCrypt uses Microsoft web hosting as its command-and-control server to circumvent detection and multiple anti-virtualization techniques that help it avoid dynamic analysis when executed in a virtual machine.


We heard from Daniel Thanos, VP of Arctic Wolf Labs who shared the implications of advancements in threat actors, like HavanaCrypt, and what this means for the industry from a technical perspective.


Daniel Thanos, VP, Arctic Wolf Labs


"Adversaries structure their attacks to abuse trust so that they can evade the defenses/detections most organizations depend on. In this case, using trusted address spaces from trusted hosts that would regularly be whitelisted by many folks is not new. Attackers also use AWS hosting to get away with this when they can, or they hijack/takeover otherwise “clean” hosts/addresses spaces whenever possible. It is not just trusted addresses that get abused in ransomware attacks, it is also trusted tools/applications found in many enterprises, in the many Living Off the Land (LOL) tactics that are used by ransomware operators when delivering their payloads.

What this teaches us is that conventional detections/defenses that depend on static indicator/signatures, or treat certain address spaces, applications, users, processes, etc. as trusted have failed a long time ago. Instead, your cyber defense needs to be based on behavioral detections based on the actual TTPs that adversaries are using and can’t rely on any one security tool, or an approach of certain system elements being trusted or untrusted. Your threat defense needs to be informed by actual adversarial tradecraft, and must be continually researching and evolving on a daily basis based on that tradecraft changing everyday over the thousands of possible attacks that are possible at any given time. All of this must be an integrated element of your security operations.

It is highly possible that the ransomware's author is planning to communicate via the Tor browser, because Tor's is among the directories that it avoids encrypting files in. In its current stage, HavanaCrypt does not drop a ransom note which may be an indication that it is still in its development phase. If it is indeed in the beta phase, take the time to prepare, Tor is being used again, block it – there is no use for Tor is most enterprises.

Additional insights here on this threat actor/threat:

1. Disguises itself as a Google Software Update application

2. Uses Microsoft web hosting as its command-and-control server to circumvent detection.

3. The ransomware uses the QueueUserWorkItem function, a .NET System.Threading namespace method that queues a method for execution. Also uses the modules of KeePass Password Safe, an open-source password manager, during its file encryption routine.

4. The ransomware is a .NET-compiled application and is protected by Obfuscar, an open-source .NET obfuscator to help secure code in a .NET assembly

5. The malware has multiple anti-virtualization techniques that help it avoid dynamic analysis when executed in a virtual machine.

6. After verifying that the victim machine is not running in a virtual machine, HavanaCrypt downloads a file named "2.txt" from 20[.]227[.]128[.]33, a Microsoft web hosting service IP address, and saves it as a batch (.bat) file with a file name containing between 20 and 25 random characters.

7. HavanaCrypt uses KeePass Password Safe modules during its encryption routine. In particular, it uses the CryptoRandom function to generate random keys needed for encryption.

8. HavanaCrypt encrypts files and appends ".Havana" as a file name extension."


###