New ransomware HavanaCrypt poses as Google software update

A new strain of ransomware has been making victims for the past two months, masquerading as a Google software update application and reusing an open source password management library for encryption.

Dubbed HavanaCrypt by researchers from Cybereason, the new ransomware program features anti-analysis, data exfiltration and privilege escalation mechanisms, but doesn't seem to be dropping a traditional ransom note.

HavanaCrypt deployment

The researchers don't have a lot of information about the initial access vector because the sample they analysed was obtained from VirusTotal, a web-based file scanning service, where it was likely uploaded by a victim. 

What is clear is that the metadata of the malicious executable has been modified to list the publisher as Google and the application name as Google Software Update and upon execution it creates a registry autorun entry called GoogleUpdate. Based on this information, one could assume that the lure used to distribute the ransomware, either via email or the web, is centred around a fake software update.

HavanaCrypt is written in the .NET programming language and uses an open-source binary code obfuscator called Obfuscar to hide function names and other details, making reverse-engineering harder. Furthermore, the authors also used their own code functions to hide strings in the binary.

The malware also checks if processes typically associated with virtual machine applications are present on the system and if any are found, it checks the MAC addresses of the network card to see if they match known virtual adapters. 

These checks are meant to block analysis that often involves executing suspicious binaries inside virtual machines (VMs). The program also contains a mechanism that attempts to evade analysis via debuggers.

It's clear that HavanaCrypt's creators put a lot of effort into making static and automated analysis harder. If any of these checks fail, the program will stop its execution. If the checks pass, the ransomware will download a .txt file from an IP address associated with Microsoft's web hosting services that is actually a script to add certain directories to the scan exclusion list of Windows Defender.

It then attempts to kill a long list of processes that might be running on the system. These processes are associated with popular applications including Microsoft Word, email clients, database servers, VMs, and data synchronisation agents. 

The goal is to clear the filesystem locks set by these programs so their files can be encrypted. The ransomware also deletes all restore points and Volume Shadow copies to prevent the easy restoration of files.

HavanaCrypt copies itself in the StartUp and ProgramData folders using a randomly generated 10-character name. The file is then set as “System file” and “Hidden” to prevent easy discovery since by default Windows will not show these files in its file explorer.

HavanaCrypt encryption

The ransomware then collects information about the infected machine that is then sent to a command-and-control (C2) server, which assigns a unique identification token to it and generates the unique keys used for encryption.

The encryption routine itself is achieved by using a library associated with the open-source KeePass password manager. Using a well-tested library instead of implementing their own encryption routine allows HavanaCrypt's creators to avoid making major mistakes that could later lead to researchers creating a free decryptor.

The malware will iterate through all files, directories, drives and disks found on the system and append the .Havana extension to all encrypted files. However, there is a folder and file extension exclusion list to keep the system functional.

Interestingly, even though the ransomware doesn't seem to drop a traditional ransom note, the Tor Browser folder is present in the encryption exclusion list, which suggests the attackers intend to use Tor for data exfiltration or C2 communications.