A new strain of ransomware has been making victims for the past two months, masquerading as a Google software update application and reusing an open-source password management library for encryption. Dubbed HavanaCrypt by researchers from Cybereason, the new ransomware program features anti-analysis, data exfiltration and privilege escalation mechanisms, but doesn’t seem to be dropping a traditional ransom note.
HavanaCrypt deployment
The researchers don’t have a lot of information about the initial access vector because the sample they analyzed was obtained from VirusTotal, a web-based file scanning service, where it was likely uploaded by a victim.