A brand-new pressure of ransomware has actually been making victims for the previous 2 months, masquerading as a Google software application upgrade application and recycling an open-source password management library for file encryption. Called HavanaCrypt by scientists from Cybereason, the brand-new ransomware program functions anti-analysis, information exfiltration and benefit escalation systems, however does not appear to be dropping a conventional ransom note.

HavanaCrypt implementation

The scientists do not have a great deal of info about the preliminary gain access to vector since the sample they evaluated was gotten from VirusTotal, a web-based file scanning service, where it was most likely published by a victim. What is clear is that the metadata of the harmful executable has actually been customized to note the publisher as Google and the application name as Google Software application Update and upon execution it produces a computer registry autorun entry called GoogleUpdate. Based upon this info, one might presume that the lure utilized to disperse the ransomware, either through e-mail or the web, is focused around a phony software application upgrade.

HavanaCrypt is composed in the.NET shows language and utilizes an open-source binary code obfuscator called Obfuscar to conceal function names and other information, making reverse-engineering harder. Moreover, the authors likewise utilized their own code functions to conceal strings in the binary.

The malware likewise checks if procedures generally related to virtual maker applications exist on the system and if any are discovered, it examines the MAC addresses of the network card to see if they match recognized virtual adapters. These checks are suggested to obstruct analysis that typically includes performing suspicious binaries inside virtual devices (VMs). The program likewise includes a system that tries to avert analysis through debuggers.

It’s clear that HavanaCrypt’s developers put a great deal of effort into making fixed and automatic analysis harder. If any of these checks stop working, the program will stop its execution. If the checks pass, the ransomware will download a.txt file from an IP address related to Microsoft’s webhosting services that is in fact a script to include specific directory sites to the scan exemption list of Windows Protector.

It then tries to eliminate a long list of procedures that may be operating on the system. These procedures are related to popular applications consisting of Microsoft Word, e-mail customers, database servers, VMs, and information synchronization representatives. The objective is to clear the filesystem locks set by these programs so their files can be secured. The ransomware likewise erases all bring back points and Volume Shadow copies to avoid the simple remediation of files.

HavanaCrypt copies itself in the Start-up and ProgramData folders utilizing an arbitrarily created 10-character name. The file is then set as “System file” and “Hidden” to avoid simple discovery because by default Windows will disappoint these files in its file explorer.

HavanaCrypt file encryption

The ransomware then gathers info about the contaminated maker that is then sent out to a command-and-control (C2) server, which appoints a special recognition token to it and creates the distinct secrets utilized for file encryption.

The file encryption regular itself is accomplished by utilizing a library related to the open-source KeePass password supervisor. Utilizing a well-tested library rather of executing their own file encryption regular enables HavanaCrypt’s developers to prevent making significant errors that might later on cause scientists developing a totally free decryptor.

The malware will repeat through all files, directory sites, drives and disks discovered on the system and append the.Havana extension to all encrypted files. Nevertheless, there is a folder and file extension exemption list to keep the system practical.

Remarkably, despite the fact that the ransomware does not appear to drop a conventional ransom note, the Tor Web browser folder exists in the file encryption exemption list, which recommends the assailants mean to utilize Tor for information exfiltration or C2 interactions.