HavanaCrypt Ransomware

Researchers have identified a new ransomware named HavanaCrypt, being shipped through a fake Google Software Update.

It performs multiple anti-virtualization checks and uses a Microsoft web hosting service IP address for its C&C server, which allows it to evade detection.

HavanaCrypt, found using a namespace method function that queues a method for execution and that it employs the modules of an open-source password manager during encryption.

Developed using .NET and enveloped using open source obfuscator, HavanaCrypt hides its window after execution, then checks the AutoRun registry for a GoogleUpdate entry and continues with its routine if the registry is not found.

Anti-virtualization routine, has four stages:

• First it checks for services associated with virtual machines.
• Checks for files related to virtual machine applications
• Checks for file names used for VM executables
• Checks the machine’s MAC address.

The malware downloads a file named “2.txt” once the checks passed from a Microsoft web hosting service IP address, saves it as a .bat file, and executes it. The batch file contains instructions for Windows Defender to ignore detections in the Windows and User directories.

It will terminates all running process and queries all disk drives and deletes all shadow copies, and uses WMI to identify system restore instances and delete them.

The malware uses the CryptoRandom function of KeePass Password Safe for generating encryption keys with an extension of .Havana.

The malware also creates a text file that logs all the directories containing the encrypted files. The file is named foo.txt and the ransomware encrypts it as well. No ransom note is dropped.

Its a clear indication that HavanaCrypt is still in its development phase.

Indicators of Compromise

• b37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87
• bf58fe4f2c96061b8b01e0f077e0e891871ff22cf2bc4972adfa51b098abb8e0
• aa75211344aa7f86d7d0fad87868e36b33db1c46958b5aa8f26abefbad30ba17
• http://20[.]227[.]128[.]33/2.txt
• http://20[.]227[.]128[.]33/index.php
• http://20[.]227[.]128[.]33/ham.php