New ransomware’s file name is Google Software Update.exe.
A new ransomware is attacking computers disguised as a Google Software Update, according to cybersecurity software firm Trend Micro.
Dubbed HavanaCrypt, the virus uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.
Using a QueueUserWorkItem function, it tricks unsuspecting users into thinking it’s an update, before unleashing malicious binary onto their systems.
The malware – titled Google Software Update.exe − executes several anti-virtualization techniques to circumvent virtual machine applications.
HavanaCrypt would not be the first ransomware masquerading as a legitimate program – with users getting their devices infected by unwittingly downloading illicit Windows 10 and Google Chrome installers.
But this virus differs in that it uses a C&C server that is part of Microsoft web hosting to avoid detection, according to TrendMicro threat analysts.
This virus is different
In a post, the analysts opine that the virus’s author may be trying to communicate via Tor, the open source anonymity software, as it was found among the directories that the virus avoids encrypting files in.
The virus does not leave behind a ransom message, which could mean HavanaCrypt may be in the development phase, the analysts said.
Instead, it deploys executable copies as hidden system files in folders before generating a unique identifier based on compromised devices' system information. It then generates an encryption key through KeePass Password Safe's CryptoRandom function.
Ransomware: The world's no. 1 cybersecurity threat
Cybersecurity survey: 80% of companies globally hit by ransomware attack
Cardiologist moonlights as ransomware mastermind
Ransomware deals death blow to historic US college
'Robin Hood' ransomware forces victims to do good
Despite potentially being early in its virus life, it is important to detect and block HavanaCrypt before it evolves further and does even more damage," the analysts added.
According to Trend Micro, ransomware is one of the top cyberthreats today. In the first quarter, the firm said it detected and blocked more than 4.4 million ransomware threats, up 37% from the previous quarter.
The malware endures because it “employs ever-changing tactics and schemes,” the analysts wrote. This year, ransomware has been distributed as fake Windows 10, Google Chrome and Microsoft Exchange updates.
Ransomware also is particularly lucrative, with corporate victims typically paying the ransom to unlock data and systems. They pay because the amount usually is considered a pittance compared to damage from the business disruption the malware causes.