back to article HavanaCrypt ransomware sails in as a fake Google update

A new ransomware family is being delivered as a bogus Google Software Update, using Microsoft functionality as part of its attack. Researchers with Trend Micro say they uncovered the latest threat, dubbed "HavanaCrypt", a ransomware package that presents itself as a Google Software Update though it is a .NET-compiled …

  1. Claptrap314 Silver badge

    "Lastly, the malware looks at the system's MAC address and compares it to organizationally unique identifier (OUI) prefixes usually used by virtual machines."

    This is just nuts. There is NO reason for a VM to use predictable addresses like this, and this obvious route to identifying the presence of a VM should have been revealed by even a cursory security review. Certainly, the services are a "bigger" issue in this regard, but to not even bother with such a simple & obvious change...

    This is why we can't have nice things.

    1. doublelayer Silver badge

      There are lots of ways to identify a VM, and basically all of them can be turned off if desired. Most VM users don't really care that their VM use is identifiable. I'm guessing these ways to check, being relatively simple to check and to change, are well-known by researchers doing this analysis.

  2. Woodnag

    HavanaCrypt ransomware sails in...

    How exactly?

    1. doublelayer Silver badge

      Re: HavanaCrypt ransomware sails in...

      My guess: a user goes to a page which either has an ad or a redirect informing them that their browser is out of date and giving them a download link to a binary. Those users who have seen this before retreat immediately. Some users who don't understand that this is not how updates work but will follow instructions get infected. They may have other mechanisms; even more skilled users can be successfully diverted from the path they should take by a confusing injected ad. This is one of the reasons I have multiple layers of ad blocking.

  3. ThatOne Silver badge

    Lost battle

    > Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure

    I fail to see how that advice can prevent users from downloading and installing that oh-so-terribly important/urgent update/driver some terribly helpful 3rd party site/person identified as missing on their system. There is no patch for naivety, there is only long, tedious education.

    Note I do not advocate not patching your system, I just say this statement is totally and utterly gratuitous and pointless given the preferred vector of ransomware is phishing, not some l33t 0-day exploit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like