Russian ransomware takes advantage of Windows PowerShell

Filed Under: Featured, Malware, Microsoft, Ransomware, SophosLabs, Windows

For us in SophosLabs, ransomware is a common sight. We see many different versions every day. But as to be expected, the authors think up a new gimmick that makes us take notice. This is one of those cases.

Windows 7. Image from Shutterstock

Recently we received a ransomware sample from one of our customers, which immediately piqued our interest as it used Windows PowerShell program to perform file encryption.

For those who may not be aware, Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some the tasks required to run a Windows network. It’s included with Windows 7 and later but can be installed on earlier Windows operating systems too.

This latest ransomware uses this Windows PowerShell program to perform file encryption using "Rijndael symmetric key encryption". This variant also targets Russian users with a ransom message displayed in the Russian language.

Here's how this ransomware works:

It arrives as spam containing an HTA file attachment. The HTA file contains a pair of Base64 encoded strings. These are decoded to two scripts that do the bulk of the ransomware’s work.

The first script checks whether the system has Windows PowerShell installed or not. If not, it downloads a copy from a Dropbox.com account and installs it.

Russian ransomware script 1

The second Base64 decoded string is the PowerShell script that performs file encryption. It uses "Rijndael symmetric key encryption" using PowerShell’s CreateEncryptor() function.

Russian ransomware script 2

As with most file-encrypting ransomware, this one chooses files that may contain information of value to the victim. In this case, an extensive list of 163 file types ranging from documents and spreadsheets to pictures and videos.

List of file types

The ransom demand takes the form of a text file named READ_ME_NOW.txt, created in each encrypted file folder which contains encrypted files. The message is in Russian and instructs the victim to visit the webpage shown below.

Russian ransom

Translation:

Your files are encrypted?

Do you want to unlock your files and do not know how?

You can get the decryption program in fully automatic mode in a few minutes!

To decrypt your files must have a unique code, which is contained in the file READ_ME_NOW.txt, so we can learn the code please upload the file READ_ME_NOW.txt the form below. This file is in any directory that has encrypted files.

If the user uploads the READ_ME_NOW.txt file as instructed they will be taken to a second page of instructions.

Russian ransom

Translation:

You are logged in!

We successfully read your unique lock code. For you, there is good news and bad news:

The good news is that you can get the program and fully unlock and clean your PC in just a few minutes.

The bad news - a program to unlock costs 10 TR for one PC

To prove to you that we can provide the unique program for your PC that will unlock all of your files - you can upload any one of the encrypted files no larger than 1 megabyte, and we will automatically decode it.

At this point the true desire of the attackers becomes apparent - and costly - a 10,000 Ruble charge for undoing the damage they have done. (At today's rate 10,000 Rubles converts to about £217, €250, or $326 USD. Not exactly 'priced to sell'.)

We have also seen two types of encryption key used by this ransomware.

  1. Uses a Universally Unique Identifier (UUID) as the encryption key and renames it with an extension .FTCODE
  2. Uses a randomly generated string, 50 characters long and including 4 non alpha numeric values as encryption key and renames it with an extension .BTCODE. This key is generated using the GeneratePassword() command. This handy function takes 2 parameters: length of the password to create and the number of non-alphanumeric characters to include. Very useful if you have a hard time coming up with strong passwords by yourself.

But there's good news. In both cases the encryption key can be recovered without paying for it. In fact, this can be done using the same PowerShell tool that the attackers used.

The first, UUID, key can be retrieved with this command.

Get-wmiobject Win32_ComputerSystemProduct UUID

The second with:

Gwmi win32_computerSystem Model

Thus the encryption keys can be relatively simple to retrieve by anyone who would rather not pay 10,000 Rubles/£217/€250/$326 to get their files back.

We always advise against paying the ransom to the criminals behind ransomware. Even if you pay there’s no guarantee that they will uphold their end of the bargain. It’s more likely that you’ll be left with a bunch of encrypted files and lighter wallet.

Sophos customers, take note that our security products detect these variants as Troj/Ransom-NY.

And if you want to know more about the inner-workings of ransomware, why not take a gander at our new technical paper "Ransomware: Next Generation Fake Antivirus" - no registration or Rubles required.

Windows image from Shutterstock.

, , ,

You might like

11 Responses to Russian ransomware takes advantage of Windows PowerShell

  1. Jason · 594 days ago

    Microsoft does it again. Rather than using a proper shell like the sort that has been used very successfully in unix for decades they have to reinvent the wheel just to be different. And as usual they made their wheel square.

    But then I suppose to use a proper shell you need a proper kernel to run it on.

    Nice one Microsoft.

    Again.

    • Doug Wagner · 593 days ago

      Jason,

      Powershell can hold it's own quite nicely compared to other OS scripting shells.
      You should learn more about powershell. I think you would be pleasantly surprised.

      BTW powershell has good security available, but it needs to be configured to be secure.

      DJW
      A powershell usin' Sys Admin

    • Rocky · 593 days ago

      Jason, you have no idea what you are talking about. I've used a variety of UNIX shells and also PowerShell. The UNIX shells are powerful, but definitely limited compared to what PowerShell can do, especially on Windows.

      If people download and execute unknown scripts/executables, bad things can happen. This could have been a bash shell script and could have caused similar types of issues.

  2. spryte · 594 days ago

    As a PowerShell user (on XP)... many thanks.
    Not that I'd ever download and execute an unknown HTA... I've developed a few in my time, for various admin functions, and know their power, running as Fully Trusted applications.

  3. Chris · 594 days ago

    Here is a question, how is it bypassing PowerShell's execution policy? By default all scripts must be signed.

    • Chris · 594 days ago

      Well i will respond to myself, looking into it, it isn't hard at all to bypass PowerShell's execution policy.. Basically you can execute the code wth get-content and Invoke-expression.

    • Kieran Jacobsen · 593 days ago

      Who says it wasn't signed?

  4. Blake · 594 days ago

    I second Chris' question. PowerShell in default configuration cannot execute scripts of any kind. I discovered that the hard way when I wrote my first script. Certainly this ransomware is bad, but your article seems to give PowerShell a bad name where it may not deserve it.

    Does this ransomware only function in environments where the PowerShell execution policy has been switched to unrestricted or does the ransomware actually change the execution policy (which requires admin privileges)?

    • Kieran Jacobsen · 593 days ago

      You can overwrite that with the -ExecutionPolicy flag on powershell.exe

  5. To be clear this is not a vulnerability in PowerShell. All they've done is used PowerShell as their payload language. But they could have used anything. If they are downloading and installing PowerShell they could have downloaded and installed anything.

    It is possible to run PowerShell code without it running as a script which means the execution policy doesn't apply. The policy is not a security boundary.

  6. Russ Cooper · 587 days ago

    Sophos press release...hackers use what they can to do what they want....duh...Powershell has been around for > 5 years, so you're saying it took hackers that long to figuree out how to use it?

    Of course hackers will try to use anything they can. That they've tried to use Powershell is not news, if the Admins are allowing it appropriately. This is an attack against home users (as usual) and not any reasonably secured business.

    I used to get accused of hyping...nice to see others hyping more than me.

    Cheers,
    Russ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Anand Ajjan is one of the Senior Threat Researchers in SophosLabs. He has been working for Sophos since 2011, and his main research is in malware botnets and exploit kits.