Fileless Ransomware Continues Evolution

Wednesday, March 30, 2016 @ 10:03 AM gHale


A new fileless ransomware family uses Windows’ PowerShell to take advantage of victims, researchers said.

Called PowerWare by Carbon Black researchers, this piece of malware is going out via a more traditional method through macro-enabled Microsoft Word documents.

RELATED STORIES
Ransomware Uses Viewing App in Attack
Hole Found in Ransomware
Ransomware in Mac Attack
Ransomware Targets Android Users

The catch is, though, it does not write malicious files to disk, as most ransomware does. Instead, it calls for PowerShell, a core utility of current Windows systems, to perform malicious operations, thus attempting to blend in with more legitimate computer activity.

Ransomware is a very effective method of attack. What is interesting is the malicious software has evolved to become one of the biggest threats to consumers and enterprises, courtesy of exploit families such as CryptoWall, Locky, and Teslacrypt.

Ransomware often ends up bundled in with the exploit kits and attackers continue to use new techniques to make their malware more efficient.

PowerWare first emerged in a campaign targeting a healthcare organization, Carbon Black researchers said in a post. The ransomware ends up delivered via malicious Word documents that use embedded macros to spawn “cmd.exe” on the target computer, which in turn calls PowerShell to download and run the PowerWare code.

Researchers said as soon as the user enables the macros to run in the malicious document, cmd.exe spawns and launches two instances of PowerShell, one to download the ransomware script, and the second to start with the script as input. The script generates random numbers for the encryption key and for the UUID assigned to the endpoint.

The script also sends the information to the attacker controlled host via HTTP, and does that in plain text, an approach that actually creates an operational weakness. Basically, users who have a full capture packet solution can analyze the traffic to identify the right domain and IP info and retrieve the encryption key.

After communicating with the command and control server, the script encrypts files that have specific extensions (it can encrypt a broad range of file formats, the researchers found out). The ransomware also includes an HTML file in every folder with encrypted files, providing users with information on how they can regain access to their files and demanding a $500 ransom (which doubles after two weeks).