Ransomware targets Windows PowerShell
Malware uses Microsoft encryption to hold computers hostage
By John P. Mello Jr.
March 05, 2013 — CSO — Security researchers have discovered a novel ransomware scheme that uses Windows PowerShell to encrypt files on a victim's computer.
After encrypting the files, it holds them hostage, demanding payment of a ransom to unlock the data.
PowerShell is a scripting language Microsoft bundles with Windows 7, although it works on other versions as well, and is typically used by administrators to automate tasks used to operate a Windows network.
Researchers at security software maker Sophos, describe how the attack, directed at Russian users, works: A spam message delivers two malicious scripts to a machine. The first script checks the system to see if PowerShell is installed. It it isn't, it will fetch a copy from a Dropbox account and install it.
The second script starts encrypting files with PowerShell. Some 163 file types are targeted -- documents, spreadsheets, images, videos -- anything in which a person might keep valuable information.
After the script has done its dirty work, it displays a message telling the user that their files have been encrypted, and they need a code to unlock them.
To obtain the code, the user has to pay the attacker 10,000 Rubles (about $360).
However, the researchers discovered that the files can be decoded without paying the ransom. That's because the code can be retrieved by using the application that encrypted the files: PowerShell.
The ransomware uses either one of two types of encryption keys. One uses a UUID as the encryption key; the other, a randomly generated key that's 50 characters long.
The UUID key can be obtained by typing this statement into PowerShell: Get-wmiobject Win32_ComputerSystemProduct UUID.
The randomly generated key can be retrieved with this statement: wmi win32_computerSystem Model.
While the ransomware scheme is easy to crack for someone who knows their way around PowerShell, it would be effective against most casual computer users.
[Also see: Data encryption adds twist to ransomware]
In addition, because the technique is novel, it would not be immediately recognized by security analysts, observed Josh Cannell, a malware intelligence analyst with Malwarebytes.
"It makes it harder for the malware analyst because they're not used to seeing stuff like this," he told CSO Online. "It's stuff they do to keep us on our toes."
The PowerShell approach may also attract less sophisticated hackers, according to Richard Wang, manager of SophosLabs.
"It's easier to write some PowerShell script than to build your own ransomware binary from the ground up," he said in an interview.
Ransomware is gaining popularity among hackers, he added. "It's been gaining popularity over the last six to 12 months," he said.
"We've seen attempts at ransomware on and off for more than a decade," Cannell said. "But it has certainly become a more business-like operation in the last year or so, taking over from the fake antivirus, fake security-type scams."
"It has become the attack of choice for cybercriminals who are looking to get their payments directly from their victims rather than stealing credit card numbers," he said.
Typically, ransom writers demand their ill-gotten gains through a Western Union style money transfer, or a gift card code that can be turned into cash.
In its predictive analysis for 2013, Malwarebytes tagged ransomware as a growth trend. "It's a good way for malware writers to make money," Cannell said. "It's very profitable. They've made millions with stuff like this."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.