HavanaCrypt Ransomware Masquerades as a Fake Google Update
The HavanaCrypt ransomware, a new strain, reportedly disguises itself as a Google software update app. Security researchers determined that the ransomware uses a Microsoft web hosting service IP address as its command and control server. This allows the ransomware to circumvent detection. Trend Micro recently released a report about the ransomware, describing how the security threat poses as a legitimate application. This year, Trend Micro observed the ransomware disguising itself as updates for Google Chrome, Microsoft Exchange, and Windows 10.
The HavanaCrypt ransomware can also check to determine whether it is operating in a virtualized environment. If this is the case, it has the ability to terminate itself. Trend Micro had to use certain tools to analyze the sample and be able to research its nature. The malware uses an arsenal of tools to speed up encryption, including the open-source password manager KeePass Password Safe. HavanaCrypt does not encrypt files in several directories, such as Tor. Researchers also noted that this malware strain does not leave a ransom note, meaning that it may still be in development.