The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks

 

Summary

 

The PowerShell for writing malicious code is a normal way, and in the past, usually PowerShell itself was played as a supporting role, like executing cmdlets or loaders, but the trend is now to be changed. To make a ransomware, totally with pure PowerShell, is never seen before, and recently many samples were discovered, which attracted me to learn from what happened.

 

Technique analysis

 

The PowerShell ransomware samples have the same abilities, such as deleting shadows, stopping interfering processes, disabling the defender, spreading to the network, and adding registry persistence, and so on; the whole thing is done by the only PowerShell.

 

Third party software encryption scheme

One of the PowerShell ransomware is to utilize third-party encrypt free software called VeraCrypt to help encrypt the data of the drive; it will download from the remote address https[:]//Launchpad[.]net/veracrypt/trunk/1.25.9/+download/VeraCrypt_Setup_x64_1.25.9[.]msi and install VeraCrypt when the PowerShell is executed.

The sample MD5 hash: 982433cb4f485fb6f3cd9fb32cce3bb2

Fig.1 Third party VeraCrypt scheme by PowerShell

The samples MD5 hashes:

f3b663ef29fd2f8b41cdcf17b4a4300d

ffef1e40446902adc8071354fd39c1c6

Fig.2 Third party VeraCrypt scheme by PowerShell

 

RSA and AES encryption scheme

One of the PowerShell ransomware's purposes is to encrypt the data of potential victims by combining both the RSA and AES algorithms, which is a common solution by other ransom groups. Here without talking about the detail of encryption, like how to save the AES key and IV and how to use the public key.

The samples MD5 hashes:

118bd1887d7a1f825826e3a00f06b98e

4e7fd80028d4d0b227d48da1843762ab

Fig.3 RSA+AES scheme by PowerShell

 

 

Conclusion

As you know, like another ransomware group, their source code was leaked, and then more threat actors will emerge. The PowerShell scripts will become more popular for writing more powerful malicious code. Obviously, it will be utilized more, and its previously subordinate role will also change as people see more cases. And on those samples without any obfuscation technique, it would be changing.

 

IOCs

Files:

982433cb4f485fb6f3cd9fb32cce3bb2

f3b663ef29fd2f8b41cdcf17b4a4300d

ffef1e40446902adc8071354fd39c1c6

118bd1887d7a1f825826e3a00f06b98e

4e7fd80028d4d0b227d48da1843762ab

 

End.

Ransom note graphic representations