Ransomware targets Windows PowerShell

Security researchers have discovered a novel ransomware scheme that uses Windows PowerShell to encrypt files on a victim's computer.

After encrypting the files, it holds them hostage, demanding payment of a ransom to unlock the data.

PowerShell is a scripting language Microsoft bundles with Windows 7, although it works on other versions as well, and is typically used by administrators to automate tasks used to operate a Windows network.

Researchers at security software maker Sophos, describe how the attack, directed at Russian users, works: A spam message delivers two malicious scripts to a machine. The first script checks the system to see if PowerShell is installed. It it isn't, it will fetch a copy from a Dropbox account and install it.

The second script starts encrypting files with PowerShell. Some 163 file types are targeted -- documents, spreadsheets, images, videos -- anything in which a person might keep valuable information.

After the script has done its dirty work, it displays a message telling the user that their files have been encrypted, and they need a code to unlock them.

To obtain the code, the user has to pay the attacker 10,000 Rubles (about $360).

However, the researchers discovered that the files can be decoded without paying the ransom. That's because the code can be retrieved by using the application that encrypted the files: PowerShell.

The ransomware uses either one of two types of encryption keys. One uses a UUID as the encryption key; the other, a randomly generated key that's 50 characters long.

The UUID key can be obtained by typing this statement into PowerShell: Get-wmiobject Win32_ComputerSystemProduct UUID.

The randomly generated key can be retrieved with this statement: wmi win32_computerSystem Model.

While the ransomware scheme is easy to crack for someone who knows their way around PowerShell, it would be effective against most casual computer users.

[Also see: Data encryption adds twist to ransomware]

In addition, because the technique is novel, it would not be immediately recognized by security analysts, observed John Cannell, a malware intelligence analyst with Malwarebytes.

"It makes it harder for the malware analyst because they're not used to seeing stuff like this," he told CSO Online. "It's stuff they do to keep us on our toes."

The PowerShell approach may also attract less sophisticated hackers, according to Richard Wang, manager of SophosLabs.

"It's easier to write some PowerShell script than to build your own ransomware binary from the ground up," he said in an interview.

Ransomware is gaining popularity among hackers, he added. "It's been gaining popularity over the last six to 12 months," he said.

"We've seen attempts at ransomware on and off for more than a decade," Cannell said. "But it has certainly become a more business-like operation in the last year or so, taking over from the fake antivirus, fake security-type scams."

"It has become the attack of choice for cybercriminals who are looking to get their payments directly from their victims rather than stealing credit card numbers," he said.

Typically, ransom writers demand their ill-gotten gains through a Western Union style money transfer, or a gift card code that can be turned into cash.

In its predictive analysis for 2013, Malwarebytes tagged ransomware as a growth trend. "It's a good way for malware writers to make money," Cannell said. "It's very profitable. They've made millions with stuff like this."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwareMicrosoftpowershelllegalsoftwareransomwaredata protectioncybercrimesophos

More about CSODropboxMalwarebytesMicrosoftSophosWangWestern Union

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts