A new form of ransomware has taken victims over the past two months, disguised as a software update application from Google and reusing an open-source password manager library for encryption. The new ransomware program, dubbed as HavanaCrypt by Cybereason researchers, offers anti-analysis, data exfiltration, and privilege escalation mechanisms, but doesn’t seem to drop a traditional ransom note.
The researchers don’t have much information about the initial access vector, because the sample they analyzed came from VirusTotal, a web-based file scanning service, where it was likely uploaded by a victim. What is clear is that the metadata of the malicious executable has been changed to show the publisher as Google and the application name as Google Software Update and upon execution an automatically executed registry called GoogleUpdate is created. Based on this information, one might assume that the lure used to proliferate the ransomware, whether via email or the web, is centered around a fake software update.
HavanaCrypt is written in the .NET programming language and uses an open-source binary code obfuscator called Obfuscar to hide function names and other details, making reverse engineering more difficult. Furthermore, the authors also used their own code functions to hide strings in the binary.
The malware also checks for processes typically associated with virtual machine applications on the system and, if found, checks the network card MAC addresses to see if they match any known virtual adapters. These checks are intended to block analytics that often run suspicious binaries in virtual machines (VMs). The program also includes a mechanism that attempts to evade analysis via debuggers.
It is clear that the creators of HavanaCrypt have gone to great lengths to make static and automated analysis more difficult. If any of these checks fail, the program stops its execution. If the checks pass, the ransomware downloads a .txt file from an IP address associated with Microsoft’s web hosting services, which is basically a script to add certain folders to Windows Defender’s scan exclusion list.
It then tries to kill a long list of processes that may be running on the system. These processes are associated with popular applications, including Microsoft Word, email clients, database servers, VMs, and data synchronization agents. Its purpose is to clear the file system locks set by these programs so that their files can be encrypted. The ransomware also deletes all restore points and Volume Shadow copies to prevent easy file recovery.
HavanaCrypt copies itself in the StartUp and ProgramData folders with a randomly generated name of 10 characters. The file is then set as “System File” and “Hidden” to avoid easy discovery, as Windows will not show these files in the File Explorer by default.
The ransomware then collects information about the infected machine which is then sent to a command-and-control (C2) server, which assigns it a unique identifier and generates the unique keys used for encryption.
The encryption routine itself is accomplished by using a library associated with the open-source KeePass password manager. By using a well-tested library rather than implementing their own encryption routine, the creators of HavanaCrypt can avoid making major mistakes that could later lead researchers to create a free decryptor.
The malware goes through all files, folders, drives and disks found on the system and appends the .Havana extension to all encrypted files. However, there is a list of folder and file extension exclusions to keep the system functional.
Interestingly, although the ransomware does not appear to drop a traditional ransom note, the Tor Browser folder is present in the encryption exclusion list, suggesting that the attackers may want to use Tor for data exfiltration or C2 communication.
Copyright © 2022 IDG Communications, Inc.