Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server

Recently, Trend Micro researchers found a brand-new ransomware family that employs a similar scheme: It disguises itself as a legitimate Google Software Update application and uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection. Their investigation also shows that this ransomware uses the QueueUserWorkItem function, a .NET System.Threading namespace method that queues a method for execution, and the modules of KeePass Password Safe, an open-source password manager, during its file encryption routine.

In this blog entry, Trend Micro provide an in-depth technical analysis of the infection techniques of this new ransomware family, which we have dubbed HavanaCrypt.

Read more…
Source: Trend Micro