AI Business is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

Don’t click on that! Ransomware hidden in fake Google software update

Article ImageNew ransomware’s file name is Google Software Update.exe.

A new ransomware is attacking computers disguised as a Google Software Update, according to cybersecurity software firm Trend Micro.

Dubbed HavanaCrypt, the virus uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.

Using a QueueUserWorkItem function, it tricks unsuspecting users into thinking it’s an update, before unleashing malicious binary onto their systems.

The malware – titled Google Software Update.exe − executes several anti-virtualization techniques to circumvent virtual machine applications.

HavanaCrypt would not be the first ransomware masquerading as a legitimate program – with users getting their devices infected by unwittingly downloading illicit Windows 10 and Google Chrome installers.

But this virus differs in that it uses a C&C server that is part of Microsoft web hosting to avoid detection, according to TrendMicro threat analysts.

This virus is different

In a post, the analysts opine that the virus’s author may be trying to communicate via Tor, the open source anonymity software, as it was found among the directories that the virus avoids encrypting files in.

The virus does not leave behind a ransom message, which could mean HavanaCrypt may be in the development phase, the analysts said.

Instead, it deploys executable copies as hidden system files in folders before generating a unique identifier based on compromised devices' system information. It then generates an encryption key through KeePass Password Safe's CryptoRandom function.

Related stories:

Ransomware: The world's no. 1 cybersecurity threat

Cybersecurity survey: 80% of companies globally hit by ransomware attack

Cardiologist moonlights as ransomware mastermind

Ransomware deals death blow to historic US college

'Robin Hood' ransomware forces victims to do good

Despite potentially being early in its virus life, it is important to detect and block HavanaCrypt before it evolves further and does even more damage," the analysts added.

According to Trend Micro, ransomware is one of the top cyberthreats today. In the first quarter, the firm said it detected and blocked more than 4.4 million ransomware threats, up 37% from the previous quarter.

The malware endures because it “employs ever-changing tactics and schemes,” the analysts wrote. This year, ransomware has been distributed as fake Windows 10, Google Chrome and Microsoft Exchange updates.

Ransomware also is particularly lucrative, with corporate victims typically paying the ransom to unlock data and systems. They pay because the amount usually is considered a pittance compared to damage from the business disruption the malware causes.

Trending Stories
All Upcoming Events

Upcoming Webinars

More Webinars

Latest Videos

More videos


More EBooks

Research Reports

More Research Reports
AI Knowledge Hub

Newsletter Sign Up

Sign Up