HavanaCrypt is a new ransomware. It is difficult to detect, disguises itself as a fake Google update and uses Microsoft functions in the attacks. Apparently they want to use Tot as communication, since such a directory is explicitly not encrypted.
Attackers often abuse the trust of users in their attacks in order to bypass the protective measures of companies. So, using trusted address spaces and hosts that most companies consider legitimate, safe, and whitelisted is not new. For example, cybercriminals use AWS hosting or hijack other “clean” hosts or address spaces. However, it is not only trusted addresses that are misused for ransomware attacks, but also generally trusted tools and applications that are used in many companies.
HavanaCrypt just a test run?
“Accordingly, traditional detection and defense measures, which rely on static indicators and signatures or trust certain address spaces, applications, users or processes, failed a long time ago. Instead, enterprise cyber defenses should be based on behavioral pattern detection based on the attackers' actual TTPs (Tactics, Techniques, Procedures). One should not rely on a single security tool or on an approach that automatically categorizes certain system elements as trusted or untrusted. Threat mitigation needs to be fine-tuned to what attackers are actually doing. This requires continuous research and development, as these change almost daily given the multitude of possible attacks. All of this needs to be considered in safety measures,” explains Daniel Thanos, VP, Arctic Wolf Labs.
No ransom demand after the attack
"It is very likely that the author of the HavanaCrypt ransomware is planning to communicate through the Tor browser, since Tor is one of the directories where it prevents files from being encrypted. Currently, HavanaCrypt does not leave a ransom note, which may indicate that it is still in development. If it is indeed still in beta, companies should seize the opportunity to prepare for it. If Tor is used, the browser should be blocked - most companies don't use Tor anyway," says Daniel Thanos.
Learn more about HavanaCrypt
- Disguise itself as a Google software update application
- Uses Microsoft web hosting as a command and control server to bypass detection
- Uses the QueueUserWorkItem function, a method of the .NET System.Threading namespace. Also, the ransomware uses the modules of KeePass Password Safe, an open-source password manager, during file encryption.
- Is a .NET compiled application and is protected by Obfuscar, an open source .NET obfuscator that protects the code in a .NET assembly.
- Has several anti-virtualization techniques to avoid dynamic analysis when running in a virtual machine.
- After making sure that the victim's computer is not running in a virtual machine, HavanaCrypt downloads a file named "2.txt" from 20[.]227[.]128[.]33, an IP address from a Microsoft web hosting service, and saves it as a batch (.bat) file with a filename containing 20 to 25 random characters.
- Uses modules from KeePass Password Safe during its encryption routine. In particular, it uses the CryptoRandom function to generate random keys needed for encryption.
- Encrypts files and adds “.Havana” as filename extension.
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.