We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Ransomware targets Windows PowerShell

Security researchers have discovered a novel ransomware scheme that uses Windows PowerShell to encrypt files on a victim's computer.

After encrypting the files, it holds them hostage, demanding payment of a ransom to unlock the data.

PowerShell is a scripting language Microsoft bundles with Windows 7, although it works on other versions as well, and is typically used by administrators to automate tasks used to operate a Windows network.

Researchers at security software maker Sophos, describe how the attack, directed at Russian users, works: A spam message delivers two malicious scripts to a machine. The first script checks the system to see if PowerShell is installed. It it isn't, it will fetch a copy from a Dropbox account and install it.

The second script starts encrypting files with PowerShell. Some 163 file types are targeted -- documents, spreadsheets, images, videos -- anything in which a person might keep valuable information.

After the script has done its dirty work, it displays a message telling the user that their files have been encrypted, and they need a code to unlock them.

To obtain the code, the user has to pay the attacker 10,000 Rubles (about $360).

However, the researchers discovered that the files can be decoded without paying the ransom. That's because the code can be retrieved by using the application that encrypted the files: PowerShell.

The ransomware uses either one of two types of encryption keys. One uses a UUID as the encryption key; the other, a randomly generated key that's 50 characters long.

The UUID key can be obtained by typing this statement into PowerShell: Get-wmiobject Win32_ComputerSystemProduct UUID.

The randomly generated key can be retrieved with this statement: wmi win32_computerSystem Model.

While the ransomware scheme is easy to crack for someone who knows their way around PowerShell, it would be effective against most casual computer users.

[Also see: Data encryption adds twist to ransomware]

In addition, because the technique is novel, it would not be immediately recognized by security analysts, observed John Cannell, a malware intelligence analyst with Malwarebytes.

"It makes it harder for the malware analyst because they're not used to seeing stuff like this," he told CSO Online. "It's stuff they do to keep us on our toes."

The PowerShell approach may also attract less sophisticated hackers, according to Richard Wang, manager of SophosLabs.

"It's easier to write some PowerShell script than to build your own ransomware binary from the ground up," he said in an interview.

Ransomware is gaining popularity among hackers, he added. "It's been gaining popularity over the last six to 12 months," he said.

"We've seen attempts at ransomware on and off for more than a decade," Cannell said. "But it has certainly become a more business-like operation in the last year or so, taking over from the fake antivirus, fake security-type scams."

"It has become the attack of choice for cybercriminals who are looking to get their payments directly from their victims rather than stealing credit card numbers," he said.

Typically, ransom writers demand their ill-gotten gains through a Western Union style money transfer, or a gift card code that can be turned into cash.

In its predictive analysis for 2013, Malwarebytes tagged ransomware as a growth trend. "It's a good way for malware writers to make money," Cannell said. "It's very profitable. They've made millions with stuff like this."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite