Don’t click on that! Ransomware hidden in fake Google software update

New ransomware’s file name is Google Software Update.exe.

Ben Wodecki

July 15, 2022

2 Min Read

New ransomware’s file name is Google Software Update.exe.

A new ransomware is attacking computers disguised as a Google Software Update, according to cybersecurity software firm Trend Micro.

Dubbed HavanaCrypt, the virus uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.

Using a QueueUserWorkItem function, it tricks unsuspecting users into thinking it’s an update, before unleashing malicious binary onto their systems.

The malware – titled Google Software Update.exe − executes several anti-virtualization techniques to circumvent virtual machine applications.

HavanaCrypt would not be the first ransomware masquerading as a legitimate program – with users getting their devices infected by unwittingly downloading illicit Windows 10 and Google Chrome installers.

But this virus differs in that it uses a C&C server that is part of Microsoft web hosting to avoid detection, according to TrendMicro threat analysts.

This virus is different

In a post, the analysts opine that the virus’s author may be trying to communicate via Tor, the open source anonymity software, as it was found among the directories that the virus avoids encrypting files in.

The virus does not leave behind a ransom message, which could mean HavanaCrypt may be in the development phase, the analysts said.

Instead, it deploys executable copies as hidden system files in folders before generating a unique identifier based on compromised devices' system information. It then generates an encryption key through KeePass Password Safe's CryptoRandom function.

Related stories:

Ransomware: The world's no. 1 cybersecurity threat

Cybersecurity survey: 80% of companies globally hit by ransomware attack

Cardiologist moonlights as ransomware mastermind

Ransomware deals death blow to historic US college

'Robin Hood' ransomware forces victims to do good

Despite potentially being early in its virus life, it is important to detect and block HavanaCrypt before it evolves further and does even more damage," the analysts added.

According to Trend Micro, ransomware is one of the top cyberthreats today. In the first quarter, the firm said it detected and blocked more than 4.4 million ransomware threats, up 37% from the previous quarter.

The malware endures because it “employs ever-changing tactics and schemes,” the analysts wrote. This year, ransomware has been distributed as fake Windows 10, Google Chrome and Microsoft Exchange updates.

Ransomware also is particularly lucrative, with corporate victims typically paying the ransom to unlock data and systems. They pay because the amount usually is considered a pittance compared to damage from the business disruption the malware causes.

About the Authors

Ben Wodecki

Assistant Editor

Get the newsletter
From automation advancements to policy announcements, stay ahead of the curve with the bi-weekly AI Business newsletter.