Researchers from Trend Micro have warned about a new malicious operation that distributes ransomware disguised as a Google Software Update application.
According to Trend Micro’s report, HavanaCrypt is a .NET-based ransomware protected by Obfuscar, an open-source .NET obfuscator. HavanaCrypt uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection, which is not typical for ransomware.
The ransomware uses many techniques to avoid dynamic analysis when executed in a virtual machine.
“First, it checks for services used by virtual machines such as VMWare Tools and vmmouse. Second, it checks for the usual files that are related to virtual machine applications. Third, it checks for file names used by virtual machines for their executables. Last, it checks the machine’s MAC address and compares it to organizationally unique identifier (OUI) prefixes that are typically used by virtual machines,” said the researchers.
HavanaCrypt encrypts victims’ data using the code from opensource key manager KeePass Password Safe and tries to speed up the encryption process using a .Net function called "QueueUserWorkItem".
Unlike most modern ransomware, HavanaCrypt doesn’t drop a ransom note on a target system, suggesting that the tool is still under development.