Brian Jackson - Fotolia

Cyber criminals use Microsoft PowerShell in ransomware attacks

A newly discovered family of ransomware, dubbed PowerWare, uses Microsoft PowerShell to target organisations through macro-enabled documents

Cyber criminals are launching attacks on healthcare firms and other enterprises with ransomware created using Microsoft’s PowerShell scripting language for system administration.

The ransomware was discovered by researchers at security firm Carbon Black when a healthcare organisation was targeted unsuccessfully through a phishing email campaign.

The newly discovered family of ransomware – dubbed PowerWare by the researchers – targets organisations through a macro-enabled Microsoft Word document, such as a fake invoice.

This approach of using PowerShell to retrieve and execute the malicious code means the ransomware can avoid writing new files to disk and blend in with legitimate activity, making it much more difficult to detect.

Traditional ransomware variants typically install malicious files on the system which, in some instances, can be easier to detect.

Although the code is simple, PowerWare is a novel approach to ransomware, the researchers said, reflecting a growing trend of malware authors thinking outside the box in delivering ransomware.

Carbon Black researchers found that PowerWare is delivered through a macro-enabled Microsoft Word document that launches two instances of PowerShell.

One instance downloads the ransomware script and the other takes the script as input to run the malicious code to encrypt files on the target system and demand payment for releasing them.

Read more about ransomware

Retrieving encryption keys

In an interesting twist, PowerWare initially demands a $500 ransom, but this increases to $1,000 if the ransom is not paid after two weeks.

Ransomware is becoming increasingly popular with cyber criminals as a way of making money, increasing 26% in the last quarter of 2015 compared with the previous quarter, according to the McAfee Labs threat report published on 22 March 2016.

The Carbon Black researchers said organisations that have systems in place for full packet capture should be able to recover the encryption keys.

The researchers found that, when PowerWare calls its control and command servers, it does so over a plain-text protocol, making traffic easily observed.

Read more about cyber attack tools

Organisations simply have to identify the right domain and IP information from network traffic to retrieve the encryption key, the researchers said.

Carbon Black Enterprise Protection users can block the initial cmd.exe by Word that launches PowerShell with a rule that blocks cmd.exe from executing when launched by winword.exe.

They recommend covering other Microsoft Office applications – such as Excel and PowerPoint – in a similar way, as well as setting up a rule for browsers to block these apps from running PowerShell.

Disable macros in office documents

Security expert and SANS Institute instructor Ed Skoudis warned at RSA Conference 2016 in San Francisco that PowerShell has been fully weaponised in the past year.

According to Andrew Komarov, chief intelligence officer at security firm InfoArmor, PowerShell is used not just in ransomware, but in many malware samples related to cyber espionage.

“It provides very flexible functionality to work with a victim's operating system, and many bad actors use script-based scenarios due to the high level of possible obfuscation and polymorphism in order to bypass security controls on Windows based environments," he said

Brian Laing, vice-president of products at security firm Lastline, said very few users need the use of macros in their office documents. 

“Users should always disable macros or, even better, not open files with macros unless they are 100% certain the file is not malicious. If they receive a file with macros and are unsure, they should contact their IT department to investigate the file. Home users should simply delete the file and move on,” he said.

Tim McElwee, president of managed security service provider Proficio said enterprises should step up their vigilance for phishing attacks, disable macros, and backup their systems.

“This can be accomplished internally or through a managed security services provider for industrial-strength security,” he said.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: