On the 6th of July, a group of threat analysts released a report examining a HavanaCrypt ransomware posed as a google software update.

The Havana crypt pushes fake google software update application, once it arrives, the code of the ransomware is obfuscated by an obfuscator(an open-source obfuscation tool) and it was designed to hide from dynamic analysis in a virtual machine, upon execution it hides its window by a show window function, then it checks the registry to see if any google update registry is available.

Then it follows the procedure to check whether it is running in the virtual environment, by looking for services used by virtual machines such as VMWare Tools, vmmouse, and files related to virtual machines. After that it downloads a malicious file from the Microsoft web hosting service IP address and saves it as a .bat file and then execute the batch file where it terminates certain processes such as agntsvc, axlbridge and ccevtmgr.

The Havanacrypt gathers system information and sends it to the command-and-control server before encryption, after encryption it appends the “.havana” as an extension for encrypted files, it saves the logs of encrypted files in the file “foo.txt”.



  • Create signature-based rules for the detection of ransomware and malware.
  • Take regular backups of servers, end devices, and other storage devices to reduce the impact of any kind of ransomware attacks.
  • Educate employees to download applications from a legitimate site and create awareness about phishing.


Indicators of Compromise (IOC)











Trend Micro



Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.