Ransomware Leverages Windows PowerShell

Wednesday, March 6, 2013 @ 02:03 PM gHale


A new version of Russian ransomware is now using a Windows PowerShell program to perform file encryption.

Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some of the tasks required to run a Windows network, said researchers at SophosLabs. It is a part of Windows 7 and later but can also install on earlier Windows operating systems.

RELATED STORIES
Hiding Code into JavaScript
Trojan a Work of ‘Poetry’
Ransomware Encrypts Data
Ransomware Uses Java Zero Day

This latest ransomware uses this Windows PowerShell program to perform file encryption using “Rijndael symmetric key encryption.” This variant also targets Russian users with a ransom message displayed in the Russian language.

The ransomware arrives as spam containing an HTA file attachment, said researchers at SophosLabs. The HTA file contains a pair of Base64 encoded strings. These end up decoded to two scripts that do the bulk of the ransomware’s work.

The first script checks whether the system has Windows PowerShell installed or not. If not, it downloads a copy from a Dropbox.com account and installs it.

The second Base64 decoded string is the PowerShell script that performs file encryption. It uses “Rijndael symmetric key encryption” using PowerShell’s CreateEncryptor() function.

As with most file-encrypting ransomware, this one chooses files that may contain information of value to the victim, said researchers at SophosLabs. In this case, an extensive list of 163 file types ranging from documents and spreadsheets to pictures and videos.

The ransom demand takes the form of a text file named READ_ME_NOW.txt, created in each encrypted file folder which contains encrypted files, said researchers at SophosLabs. The message is in Russian and instructs the victim to visit the webpage shown below.

In short, the ransom reads:
“Your files are encrypted?
“Do you want to unlock your files and do not know how?
“You can get the decryption program in fully automatic mode in a few minutes!
“To decrypt your files must have a unique code, which is contained in the file READ_ME_NOW.txt, so we can learn the code please upload the file READ_ME_NOW.txt the form below. This file is in any directory that has encrypted files.”

If the user uploads the READ_ME_NOW.txt file as instructed they will be taken to a second page of instructions.

Those instructions read:
“You are logged in!
“We successfully read your unique lock code. For you, there is good news and bad news:
“The good news is that you can get the program and fully unlock and clean your PC in just a few minutes.
“The bad news – a program to unlock costs 10 TR for one PC.
“To prove to you that we can provide the unique program for your PC that will unlock all of your files – you can upload any one of the encrypted files no larger than 1 megabyte, and we will automatically decode it.”

At this point the true desire of the attackers becomes apparent, a 10,000 Ruble charge for undoing the damage they have done. At today’s rate 10,000 Rubles converts to about $326.

We have also seen two types of encryption key used by this ransomware.
1. Uses a Universally Unique Identifier (UUID) as the encryption key and renames it with an extension .FTCODE
2. Uses a randomly generated string, 50 characters long and including 4 non alpha numeric values as encryption key and renames it with an extension .BTCODE. This key generates using the GeneratePassword() command. This handy function takes 2 parameters: length of the password to create and the number of non-alphanumeric characters to include. Very useful if you have a hard time coming up with strong passwords by yourself.

In both cases the encryption key can end up recovered without paying for it. In fact, this can occur using the same PowerShell tool the attackers used.

A user can retrieve the first, UUID, key with this command:
Get-wmiobject Win32_ComputerSystemProduct UUID

The second with:
Gwmi win32_computerSystem Model



Leave a Reply

You must be logged in to post a comment.