new ransomware havanacrypt poses as google software replace

the havanacrypt ransomware has records exfiltration skills and is going to extraordinary lengths to avoid evaluation.

a brand new strain of ransomware has been making victims for the beyond months, masquerading as a google software program replace application and reusing an open-source password control library for encryption
dubbed havanacrypt the new ransomware application functions anti-analysis, information exfiltration and privilege escalation mechanisms, but does not appear to be losing a conventional ransom note.

havanacrypt deployment
the researchers don’t have a variety of facts about the initial get entry to vector because the sample they analyzed became acquired from virustotal, an internet-primarily based file scanning provider, in which it became likely uploaded by using a sufferer. what is apparent is that the metadata of the malicious executable has been modified to listing the writer as google and the utility name as google software program replace and upon execution it creates a registry autorun access called googleupdate. primarily based on this statistics, one should assume that the entice used to distribute the ransomware, both thru e mail or the net, is centered round a faux software update.

havanacrypt is written within the .internet programming language and makes use of an open-source binary code obfuscator referred to as obfuscar to cover function names and different details, making opposite-engineering more difficult. moreover, the authors also used their personal code functions to cover strings within the binary.

the malware also exams if tactics normally associated with digital gadget applications are gift at the device and if any are discovered, it exams the mac addresses of the network card to see if they in shape acknowledged virtual adapters. these exams are meant to block evaluation that regularly involves executing suspicious binaries internal virtual machines (vms). this system additionally includes a mechanism that tries to avoid analysis through debuggers.

it’s clear that havanacrypt’s creators placed loads of attempt into making static and automated analysis tougher. if any of these assessments fail, the program will forestall its execution. if the checks bypass, the ransomware will down load a .txt record from an ip deal with associated with microsoft’s web website hosting offerings this is without a doubt a script to add sure directories to the test exclusion listing of windows defender.

it then tries to kill a long listing of tactics that is probably jogging on the gadget. those strategies are related to famous packages together with microsoft phrase, e-mail customers, database servers, vms, and records synchronization agents. the aim is to clean the filesystem locks set by means of those packages so their files may be encrypted. the ransomware additionally deletes all repair factors and extent shadow copies to prevent the clean restoration of documents.

havanacrypt copies itself in the startup and programdata folders using a randomly generated 10-man or woman call. the file is then set as “gadget document” and “hidden” to save you clean discovery due to the fact via default windows will now not show these files in its file explorer.

havanacrypt encryption
the ransomware then collects data about the inflamed system that is then despatched to a command-and-manage (c2) server, which assigns a unique identification token to it and generates the specific keys used for encryption.

the encryption recurring itself is executed via the use of a library related to the open-source keepass password supervisor. using a well-examined library rather than imposing their own encryption routine permits havanacrypt’s creators to avoid making predominant mistakes that would later lead to researchers developing a loose decryptor.

the malware will iterate thru all documents, directories, drives and disks observed on the system and append the .havana extension to all encrypted documents. however, there’s a folder and file extension exclusion list to maintain the machine functional.

interestingly, even though the ransomware would not seem to drop a conventional ransom observe, the tor browser folder is present inside the encryption exclusion list, which suggests the attackers intend to use tor for information exfiltration or c2 communications.

Leave a Reply

Your email address will not be published.