HavanaCrypt Ransomware Poses as Google Update

Ransomware remains popular in large part because it works. In that sense, it’s not surprising, although it is alarming, that Trend Micro found it had detected and blocked more than 4.4 million ransomware threats stretching across email, URL and file layers during Q1 of 2022—and discovered a new family dubbed HavanaCrypt.

The activity in the first quarter represents an uptick of 37% in ransomware threats over the previous quarter.

“Ransomware’s pervasiveness is rooted in its being evolutionary: It employs ever-changing tactics and schemes to deceive unwitting victims and successfully infiltrate environments,” Trend Micro researchers wrote in a blog post detailing HavanaCrypt. “For example, this year, there have been reports of ransomware being distributed as fake Windows 10, Google Chrome and Microsoft Exchange updates to fool potential victims into downloading malicious files.”

Clever HavanaCrypt, the researchers said, “disguises itself as a Google Software Update application and uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.”

They found that it also uses the QueueUserWorkItem function, which is a .NET System.Threading namespace method that queues a method for execution. What’s more, the ransomware taps the modules of open source password manager KeePass Password Safe during its file encryption routine.

HavanaCrypt has four stages of verification it uses to check whether or not the infected machine is running in a virtualized environment.

After verifying that the victim machine is not running in a virtual machine, HavanaCrypt downloads a file named “2.txt” from 20[.]227[.]128[.]33, a Microsoft web hosting service IP address, and saves it as a batch (.bat) file with a file name containing between 20 and 25 random characters.

It then proceeds to execute the batch file using cmd.exe with a “/c start” parameter. The batch file contains commands that are used to configure Windows Defender scan preferences to allow any detected threat in the “%Windows%” and “%User%” directories.

HavanaCrypt terminates a number of processes that are found running in a machine, including those that are part of database-related applications like Microsoft SQL Server and MySQL.

“After it terminates all relevant processes, HavanaCrypt queries all available disk drives and proceeds to delete the shadow copies and resize the maximum amount of storage space to 401 MB,” the researchers said. “It also checks for system restore instances via Windows Management Instrumentation (WMI) and proceeds to delete them by using the SRRemoveRestorePoint function.”

Through the QueueUserWorkItem function, the ransomware implements thread pooling for other payloads and encryption threads. “This function is used to execute a task when a thread pool becomes available,” Trend Micro said.

Before going forward with an encryption routine, HavanaCrypt gathers certain the unique identifier, the token and the date and sends them to its C&C server. During encryption, HavanaCrypt uses KeePass Password Safe modules. “In particular, it uses the CryptoRandom function to generate random keys needed for encryption,” the researchers wrote. “The similarity between the function used by HavanaCrypt and the KeePass Password Safe module from GitHub is evident.”

Noting that HavanaCrypt disguises itself as a Google Software Update application to “trick potential victims into executing the malicious binary,” Trend Micro researchers pointed out that it is rare for “ransomware to use a C&C server that is part of Microsoft web hosting services and is possibly used as a web hosting service to avoid detection.”

The researchers believe the ransomware author “is planning to communicate via the Tor browser, because Tor’s is among the directories that it avoids encrypting files in.” And since the ransomware encrypts the text file foo.txt and doesn’t drop a ransom note, that “might be an indication that HavanaCrypt is still in its development phase. Nevertheless, it is important to detect and block it before it evolves further and does even more damage,” Trend Micro said.

A senior member of the intelligence team at Intel 471 who asked to remain anonymous said posing as a Google update is “very easy to do; it’s quite common across all classes of malware (e.g. ransomware, stealers, trojans, etc.). A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled.”

 “QueueUserWorkItem is a standard technique for creating thread pools. The use of thread pools will speed up encryption of the files on the victim machine. This is a standard technique that should be known to most programmers,” the Intel 471 researcher explained. “Regarding KeePass, the ransomware author has copied code from the open source KeePass password manager tool and used this code in their ransomware project. The copied code is used to generate pseudorandom encryption keys.”

The researcher noted that this matters for defenders because ”if the encryption keys were generated in a predictable, repeatable way then it might be possible for malware researchers to develop decryption tools.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson