Ransomware HavanaCrypt

Around July of this year, the HavanaCrypt ransomware emerged in the cyber world. It has been carrying out attacks with an interesting twist. HavanaCrypt masquerades as a Google software update to encrypt virtual machines.

The ransomware is written in the .NET language and uses an OpenSource obfuscator called Obfuscate to hide feature names used in the ransomware.

The group behind the ransomware, has managed to implement anti-analysis mechanisms, and can make itself virtually invisible to the eyes of users and security programs.

The exact point of introduction to the victim’s system is not yet known. Researchers say there is a possibility that it could be through email campaigns or unintentional downloading of software that carries the malware.

What is clear is that the information in the malicious executable has been changed to suggest that the author is Google and the name of the program is Google Software Update.

We know that the creators of HavanaCrypt have gone to great lengths to make sure that static and automatic security scans do not detect the malware. They use security checks, before running the encryption.

If the check is negative, the malware is not executed. If it is positive, a .txt file is downloaded by the ransomware from an IP address connected to Microsoft’s web hosting services. This file is a script that adds certain folders to the Windows Defender exclusion list.

The ransomware then collects information about the infected machine, then exfiltrates the infected data which is then sent to a command and control (C2) server, which assigns a unique identification token and generates unique encryption keys.

The virus scans the system for all files, folders, drives and disks and adds the .Havana extension to all encrypted files. The files then become inaccessible to the user.

Unlike other ransomware, HavanaCrypt does not generate any ransom demands. Which leads us to think that HavanaCrypt ransomware uses another means to generate its earnings.

Recover files encrypted by HavanaCrypt ransomware

Today you can rely on qualified companies for encrypted data recovery. Among them is Digital Recovery.

Being in the data recovery market for more than 23 years, Digital Recovery has gained experience and generated unprecedented solutions for many companies.

With the growing numbers of ransomware attacks around the world, our development team studied, closely analyzed, and developed a solution that allows us to recover ransomware-encrypted files on any storage device.

This solution, called Tracer, was created with the security of our customers’ data in mind. A confidentiality agreement (NDA) is in place for each of our projects.

We are able to operate remotely in any country in the world. After an advanced diagnosis, we are able to determine the possibility of recovery.

Contact us! Our multi-lingual team is available 24/7 and is here to serve you in the best possible way.

We are always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Descriptografar ransomware em servidores

Decrypt Server

Ransomware attacks on servers have become a growing threat, compromising the security of critical data and business operations. This article explores the nuances of file


Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.