{
	"id": "5ad729f5-d252-4d60-b358-ebcf3f37f1e9",
	"created_at": "2026-04-06T00:06:57.413975Z",
	"updated_at": "2026-04-10T13:12:10.071917Z",
	"deleted_at": null,
	"sha1_hash": "6bef83a22e0f2723dcda990f67efac8adfdadbac",
	"title": "Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C\u0026C Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6684888,
	"plain_text": "Brand-New HavanaCrypt Ransomware Poses as Google Software\r\nUpdate App, Uses Microsoft Hosting Service IP Address as C\u0026C Server\r\nBy Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Bren Matthew Ebriega, Joshua Paul Ignacio ( words)\r\nPublished: 2022-07-06 · Archived: 2026-04-05 22:30:46 UTC\r\nWe recently found a new ransomware family, which we have dubbed as HavanaCrypt, that disguises itself as a Google\r\nSoftware Update application and uses a Microsoft web hosting service IP address as its command-and-control server to\r\ncircumvent detection.\r\nBy: Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Bren Matthew Ebriega, Joshua Paul Ignacio Jul 06, 2022 Read\r\ntime: 8 min (2086 words)\r\nSave to Folio\r\nRansomware is not at all novel, but it continues to be one of the top cyberthreats in the world today. In fact, according to\r\ndata from Trend Micro™ Smart Protection Network™, we detected and blocked more than 4.4 million ransomware\r\nthreatsnews article across email, URL, and file layers in the first quarter of 2022 — a 37% increase in overall ransomware\r\nthreats from the fourth quarter of 2021.\r\nRansomware’s pervasiveness is rooted in its being evolutionary: It employs ever-changing tactics and schemes to deceive\r\nunwitting victims and successfully infiltrate environments. For example, this year, there have been reports of ransomware\r\nbeing distributed as fake Windows 10news article, Google Chrome, and Microsoft Exchange updatesnews article to fool\r\npotential victims into downloading malicious files.\r\nRecently, we found a brand-new ransomware family that employs a similar scheme: It disguises itself as a Google Software\r\nUpdate application and uses a Microsoft web hosting service IP address as its command-and-control (C\u0026C) server to\r\ncircumvent detection. Our investigation also shows that this ransomware uses the QueueUserWorkItem function, a .NET\r\nSystem.Threading namespace method that queues a method for execution, and the modules of KeePass Password Safe, an\r\nopen-source password manager, during its file encryption routine.\r\nIn this blog entry, we provide an in-depth technical analysis of the infection techniques of this new ransomware family,\r\nwhich we have dubbed HavanaCrypt.\r\nArrival\r\nHavanaCrypt arrives as a fake Google Software Update application.\r\nFigure 1. The file description of the binary file of HavanaCrypt\r\nThis malware is a .NET-compiled application and is protected by Obfuscar, an open-source .NET obfuscator used to help\r\nsecure codes in a .NET assembly.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 1 of 21\n\nFigure 2. The properties of the binary file of HavanaCrypt as shown in the Detect It Easy tool, a program used\r\nto determine file types\r\nThe malware also has multiple anti-virtualization techniques that help it avoid dynamic analysis when executed in a virtual\r\nmachine. To analyze the sample and generate the deobfuscated code, we used tools such as de4dot and DeObfuscar.\r\nFigure 3. An obfuscated HavanaCrypt ransomware code sample\r\nFigure 4. A deobfuscated HavanaCrypt ransomware code sample\r\nUpon execution, HavanaCrypt hides its window by using the ShowWindow function with parameter 0 (SW_HIDE).\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 2 of 21\n\nFigure 5. The ShowWindow function as it is used by HavanaCrypt\r\nHavanaCrypt then checks the AutoRun registry to see whether the “GoogleUpdate” registry is present. If the registry is not\r\npresent, the malware continues with its malicious routine.\r\nFigure 6. The function containing the parameters used by HavanaCrypt in checking the registry key\r\nIt then proceeds with its anti-virtualization routine, where it terminates itself if the system is found running in a virtual\r\nmachine environment.\r\nAntivirtualization\r\nHavanaCrypt has four stages of checking whether the infected machine is running in a virtualized environment.\r\nFigure 7. The function used by HavanaCrypt to implement its antivirtualization mechanism.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 3 of 21\n\nFigure 8. The entire antivirtualization routine of HavanaCrypt\r\nFirst, it checks for services used by virtual machines such as VMWare Tools and vmmouse.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 4 of 21\n\nFigure 9. The services being checked by HavanaCrypt\r\nSecond, it checks for the usual files that are related to virtual machine applications.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 5 of 21\n\nFigure 10. The virtual machine files being checked by HavanaCrypt\r\nThird, it checks for file names used by virtual machines for their executables.\r\nFigure 11. The virtual machine executables being checked by HavanaCrypt\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 6 of 21\n\nLast, it checks the machine’s MAC address and compares it to organizationally unique identifier (OUI) prefixes that are\r\ntypically used by virtual machines.\r\nFigure 12. The OUI prefixes being checked by HavanaCrypt\r\nRange or prefix Product\r\n00:05:69 VMware ESX and VMware GSX Server\r\n00:0C:29 Standalone VMware vSphere, VMware Workstation, and VMware Horizon\r\n00:1C:14 VMWare\r\n00:50:56 VMware vSphere, VMware Workstation, and VMware ESX Server\r\n08:00:27 Oracle VirtualBox 5.2\r\nTable 1. Virtual machines’ OUI ranges or prefixes\r\nAfter verifying that the victim machine is not running in a virtual machine, HavanaCrypt downloads a file named “2.txt”\r\nfrom 20[.]227[.]128[.]33, a Microsoft web hosting service IP address, and saves it as a batch (.bat) file with a file name\r\ncontaining between 20 and 25 random characters.\r\nFigure 13. The details of the Microsoft web hosting service IP address\r\n(Image source: AbuseIPDB)\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 7 of 21\n\nIt then proceeds to execute the batch file using cmd.exe with a “/c start” parameter. The batch file contains commands that\r\nare used to configure Windows Defender scan preferences to allow any detected threat in the “%Windows%” and\r\n“%User%” directories.\r\nFigure 14. The function that contains the downloading and execution of the batch file\r\nFigure 15. The Base64-encoded 2.txt file as seen on the Microsoft web hosting service IP address\r\nFigure 16. The decoded batch file downloaded from the Microsoft web hosting service IP address\r\nHavanaCrypt also terminates certain processes that are found running in the machine:\r\nagntsvc\r\naxlbridge\r\nccevtmgr\r\nccsetmgr\r\ncontoso1\r\nculserver\r\nculture\r\ndbeng50\r\ndbeng8\r\ndbsnmp\r\ndbsrv12\r\ndefwatch\r\nencsvc\r\nexcel\r\nfdlauncher\r\nfirefoxconfig\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 8 of 21\n\nhttpd\r\ninfopath\r\nisqlplussvc\r\nmsaccess\r\nmsdtc\r\nmsdtsrvr\r\nmsftesql\r\nmsmdsrv\r\nmspub\r\nmssql\r\nmssqlserver\r\nmydesktopqos\r\nmydesktopservice\r\nmysqld\r\nmysqld-nt\r\nmysqld-opt\r\nocautoupds\r\nocomm\r\nocssd\r\nonenote\r\noracle\r\noutlook\r\npowerpnt\r\nqbcfmonitorservice\r\nqbdbmgr\r\nqbidpservice\r\nqbupdate\r\nqbw32\r\nquickboooks.fcs\r\nragui\r\nrtvscan\r\nsavroam\r\nsqbcoreservice\r\nsqladhlp\r\nsqlagent\r\nsqlbrowser\r\nsqlserv\r\nsqlserveragent\r\nsqlservr\r\nsqlwriter\r\nsteam\r\nsupervise\r\nsynctime\r\ntbirdconfig\r\nthebat\r\nthebat64\r\nthunderbird\r\ntomcat6\r\nvds\r\nvisio\r\nvmware-converter\r\nvmware-usbarbitator64\r\nwinword\r\nword\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 9 of 21\n\nwordpad\r\nwrapper\r\nwxserver\r\nwxserverview\r\nxfssvccon\r\nzhudongfangyu\r\nzhundongfangyu\r\nFigure 17. The processes that HavanaCrypt terminates\r\nIt should be noted that this list includes processes that are part of database-related applications, such as Microsoft SQL\r\nServer and MySQL. Desktop apps such as Microsoft Office and Steam are also terminated.\r\nAfter it terminates all relevant processes, HavanaCrypt queries all available disk drives and proceeds to delete the shadow\r\ncopies and resize the maximum amount of storage space to 401 MB.\r\nFigure 18. HavanaCrypt deleting shadow copies and resizing the maximum storage space of available drives\r\nto 401 MB\r\nIt also checks for system restore instances via Windows Management Instrumentation (WMI) and proceeds to delete them\r\nby using the SRRemoveRestorePoint function.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 10 of 21\n\nFigure 19. HavanaCrypt deleting system restore instances via WMI\r\nIt then drops copies of itself in the %ProgramData% and %StartUp% folders in the form of executable (.exe) files with\r\ndifferent file names containing between 10 and 15 random characters. Their attributes are then set to “Hidden” and “System\r\nFile.”\r\nFigure 20. HavanaCrypt dropping copies of itself in the %ProgramData% and %StartUp% folders\r\nFigure 21. HavanaCrypt setting the dropped files as “Hidden” and “System File”\r\nHavanaCrypt also drops a file named “vallo.bat” onto %User Startup%, which contains functions that can disable the Task\r\nManager.\r\nFigure 22. HavanaCrypt dropping vallo.bat onto %User Startup%\r\nFigure 23. The content of vallo.bat\r\nGathering of machine information\r\nHavanaCrypt uses the QueueUserWorkItem function to implement thread pooling for its other payloads and encryption\r\nthreads. This function is used to execute a task when a thread pool becomes available.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 11 of 21\n\nFigure 24. The QueueUserWorkItem function as it is used by HavanaCrypt\r\nIt also uses the DebuggerStepThrough attribute, which causes it to step through the code during debugging instead of\r\nstepping into it. This attribute must be removed before one can analyze the function inside.\r\nFigure 25. The DebuggerStepThrough attribute as it is used by HavanaCrypt\r\nBefore it proceeds with its encryption routine, HavanaCrypt gathers certain pieces of information and sends them to its C\u0026C\r\nserver, 20[.]227[.]128[.]33/index.php. These are the unique identifier (UID) and the token and date.\r\nUID\r\nThe UID contains the machine’s system fingerprint. HavanaCrypt gathers pieces of machine information and combines\r\nthem, by appending one to another, before converting the information into its SHA-256 hash in the format:\r\n[{Number of Cores}{ProcessorID}{Name}{SocketDesignation}] BIOS Information [{Manufacturer}{BIOS Name}\r\n{Version}] Baseboard Information [{Name}]\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 12 of 21\n\nFigure 26. The function used by HavanaCrypt to gather machine information\r\nFigure 27. HavanaCrypt converting its gathered machine information into a SHA-256 hash\r\nThe pieces of machine information that HavanaCrypt gathers include:\r\nThe number of processor cores\r\nThe processor ID\r\nThe processor name\r\nThe socket designation\r\nThe motherboard manufacturer\r\nThe motherboard name\r\nThe BIOS version\r\nThe product number\r\nToken and date\r\nHavanaCrypt  replaces the string “index.php” with “ham.php” to send a GET request to its C\u0026C server\r\n(hxxp[:]//20[.]227[.]128[.]33/ham.php) using “Havana/1.0” as the user agent.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 13 of 21\n\nFigure 28. The function used by HavanaCrypt to send a GET request to its C\u0026C server\r\nFigure 29. The response from 20[.]227[.]128[.]33/ham.php that we obtained via Fiddler, a web application\r\ndebugging tool\r\nHavanaCrypt decodes the response from ham.php in Base64 and decrypts it via the AES decryption algorithm using these\r\nparameters:\r\nAes.key: d8045c7174c2649e96e68a01a5d77f7dec4846ebebb7ed04fa8b1325c14d84b0 (SHA-256 of\r\n“HOLAKiiaa##~~@#!2100”)\r\nAes.IV: consists of 16 sets of 00 bytes\r\nHavanaCrypt then stores the output in two different arrays with “–” as their delimiter. The first array is used as the token,\r\nwhile the second is used as the date.\r\nFigure 30. The initialization of parameters to be used by HavanaCrypt in AES decryption\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 14 of 21\n\nFigure 31. Decryption by HavanaCrypt via AES\r\nUsing CyberChef, a web app that provides operations such as encoding and encryption, we replicated HavanaCrypt’s\r\ndecryption routine using the response from 20[.]227[.]128[.]33/ham.php:\r\nOutput: d388ed2139d0703b7c2a810b09e513652eb9402c92304addd34679e21a826537-1655449622\r\nToken: d388ed2139d0703b7c2a810b09e513652eb9402c92304addd34679e21a826537\r\nDate: 1655449622\r\nFigure 32. Our replication of HavanaCrypt’s decryption routine using the CyberChef app\r\nAfter gathering all the necessary machine information, HavanaCrypt sends it via a POST request to\r\nhxxp://20[.]227[.]128[.]33/index.php using “Havana/1.0” as the user agent.\r\nFigure 33. HavanaCrypt’s POST request to hxxp[:]20[.]227[.]128[.]33/index[.]php that we obtained using\r\nFiddler\r\nIf the request is successful, HavanaCrypt receives a response that contains the encryption key, the secret key, and other\r\ndetails.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 15 of 21\n\nFigure 34. The response from hxxp[:]20[.]227[.]128[.]33/index[.]php that we obtained using Fiddler\r\nHavanaCrypt checks whether hava.info is already present in “%AppDataLocal%/Google/Google Software Update/1.0.0.0”.\r\nIf it does not find the file, it drops the hava.info file, which contains the RSA key generated by HavanaCrypt using the\r\nRSACryptoServiceProvider function.\r\nFigure 35. The contents of hava.info that we obtained using HIEW, a console hex editor\r\nFigure 36. HavanaCrypt’s generation of an RSA key using the RSACryptoServiceProvider function\r\nEncryption routine\r\nWe have observed that HavanaCrypt uses KeePass Password Safe modules during its encryption routine. In particular, it\r\nuses the CryptoRandom function to generate random keys needed for encryption. The similarity between the function used\r\nby HavanaCrypt and the KeePass Password Safe module from GitHub is evident.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 16 of 21\n\nFigure 37. The functions used by HavanaCrypt in generating random bytes\r\nFigure 38. A snippet of KeePass Password Safe’s code from GitHub\r\nHavanaCrypt encrypts files and appends “.Havana” as a file name extension.\r\nFigure 39. HavanaCrypt’s encryption routine\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 17 of 21\n\nIt avoids encrypting files with certain extensions, including files that already have the appended “.Havana” extension.\r\nFigure 40. The function used by HavanaCrypt to avoid certain file name extensions\r\nFigure 41. The file name extensions files of which HavanaCrypt avoids encrypting\r\nHavanaCrypt also avoids encrypting files found in certain directories.\r\nFigure 42. The directories in which HavanaCrypt avoids encrypting files\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 18 of 21\n\nFigure 43. The function used by HavanaCrypt to avoid certain directories\r\nFigure 44. Some files encrypted by HavanaCrypt\r\nDuring encryption, HavanaCrypt creates a text file called “foo.txt”, which logs all the directories containing the encrypted\r\nfiles.\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 19 of 21\n\nFigure 45. The foo.txt text file that contains logs of directories that contain encrypted files\r\nConclusion and Trend Micro solutions\r\nThe HavanaCrypt ransomware’s disguising itself as a Google Software Update application is meant to trick potential victims\r\ninto executing the malicious binary. The malware also implements many antivirtualization techniques by checking for\r\nprocesses, files, and services related to virtual machine applications.\r\nIt is uncommon for ransomware to use a C\u0026C server that is part of Microsoft web hosting services and is possibly used as a\r\nweb hosting service to avoid detection. Aside from its unusual C\u0026C server, HavanaCrypt also uses KeePass Password Safe’s\r\nlegitimate modules during its encryption phase.\r\nIt is highly possible that the ransomware’s author is planning to communicate via the Tor browser, because Tor’s is among\r\nthe directories that it avoids encrypting files in. It should be noted that HavanaCrypt also encrypts the text file foo.txt and\r\ndoes not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase. Nevertheless, it\r\nis important to detect and block it before it evolves further and does even more damage.\r\nOrganizations and users can benefit from having the following multilayered defense solutions that can detect ransomware\r\nthreats before operators can launch their attacks:\r\nTrend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable\r\nbehavior and tools early on, before the ransomware can do irreversible damage to the system.\r\nTrend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such\r\nas fileless threats and ransomware, ensuring the protection of endpoints.\r\nAdditional insights by Nathaniel Gregory Ragasa\r\nIndicators of compromise\r\nFiles\r\nSHA-256 Detection name Descript\r\nb37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87  Ransom.MSIL.HAVANACRYPT.THFACBB Obfusca\r\nHAVAN\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 20 of 21\n\nransomw\r\nbf58fe4f2c96061b8b01e0f077e0e891871ff22cf2bc4972adfa51b098abb8e0  Ransom.MSIL.HAVANACRYPT.THFACBB\r\nDeobfus\r\nHAVAN\r\nransomw\r\naa75211344aa7f86d7d0fad87868e36b33db1c46958b5aa8f26abefbad30ba17  Ransom.MSIL.HAVANACRYPT.THFBABB\r\nDeobfus\r\nHAVAN\r\nransomw\r\nURLs\r\nhttp://20[.]227[.]128[.]33/2.txt\r\nhttp://20[.]227[.]128[.]33/index.php\r\nhttp://20[.]227[.]128[.]33/ham.php\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\r\nPage 21 of 21\n\nhttps://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html   \nFigure 9. The services being checked by HavanaCrypt \nSecond, it checks for the usual files that are related to virtual machine applications.\n  Page 5 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html"
	],
	"report_names": [
		"brand-new-havanacrypt-ransomware-poses-as-google-software-update.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434017,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bef83a22e0f2723dcda990f67efac8adfdadbac.pdf",
		"text": "https://archive.orkl.eu/6bef83a22e0f2723dcda990f67efac8adfdadbac.txt",
		"img": "https://archive.orkl.eu/6bef83a22e0f2723dcda990f67efac8adfdadbac.jpg"
	}
}