Threat actors have been distributing the new HavanaCrypt ransomware family as a fraudulent Google Software Update application, reports SecurityWeek.
Aside from having multiple anti-virtualization check capabilities and a command-and-control server using a Microsoft web hosting service IP address, HavanaCrypt also leverages a namespace method function in its execution process, a report from Trend Micro showed.
Researchers also found that HavanaCrypt deploys executable copies as hidden system files in two folders before generating a unique identifier based on compromised devices' system information. Moreover, encryption keys are generated by HavanaCrypt through KeePass Password Safe's CryptoRandom function, while encrypted files gain the ".Havana" extension.
The report also revealed that a text file containing encrypted files is created and then encrypted by HavanaCrypt, which does not drop a ransom note.
"This might be an indication that HavanaCrypt is still in its development phase. Nevertheless, it is important to detect and block it before it evolves further and does even more damage," said Trend Micro.
More threat actors have used disk-wiping malware in cyberattacks since the beginning of the ongoing war between Russia and Ukraine, with Ukrainian government, military, and private entities having been targeted with at least seven new major wiper variants, according to VentureBeat.