Russian ransomware takes advantage of Windows PowerShell

Russian flag eye

For us in SophosLabs, ransomware is a common sight. We see many different versions every day. But as to be expected, the authors think up a new gimmick that makes us take notice. This is one of those cases.

Windows 7. Image from Shutterstock

Recently we received a ransomware sample from one of our customers, which immediately piqued our interest as it used Windows PowerShell program to perform file encryption.

For those who may not be aware, Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some the tasks required to run a Windows network. It’s included with Windows 7 and later but can be installed on earlier Windows operating systems too.

This latest ransomware uses this Windows PowerShell program to perform file encryption using “Rijndael symmetric key encryption”. This variant also targets Russian users with a ransom message displayed in the Russian language.

Here’s how this ransomware works:

It arrives as spam containing an HTA file attachment. The HTA file contains a pair of Base64 encoded strings. These are decoded to two scripts that do the bulk of the ransomware’s work.

The first script checks whether the system has Windows PowerShell installed or not. If not, it downloads a copy from a account and installs it.

Russian ransomware script 1

The second Base64 decoded string is the PowerShell script that performs file encryption. It uses “Rijndael symmetric key encryption” using PowerShell’s CreateEncryptor() function.

Russian ransomware script 2

As with most file-encrypting ransomware, this one chooses files that may contain information of value to the victim. In this case, an extensive list of 163 file types ranging from documents and spreadsheets to pictures and videos.

List of file types

The ransom demand takes the form of a text file named READ_ME_NOW.txt, created in each encrypted file folder which contains encrypted files. The message is in Russian and instructs the victim to visit the webpage shown below.

Russian ransom


Your files are encrypted?

Do you want to unlock your files and do not know how?

You can get the decryption program in fully automatic mode in a few minutes!

To decrypt your files must have a unique code, which is contained in the file READ_ME_NOW.txt, so we can learn the code please upload the file READ_ME_NOW.txt the form below. This file is in any directory that has encrypted files.

If the user uploads the READ_ME_NOW.txt file as instructed they will be taken to a second page of instructions.

Russian ransom


You are logged in!

We successfully read your unique lock code. For you, there is good news and bad news:

The good news is that you can get the program and fully unlock and clean your PC in just a few minutes.

The bad news - a program to unlock costs 10 TR for one PC

To prove to you that we can provide the unique program for your PC that will unlock all of your files - you can upload any one of the encrypted files no larger than 1 megabyte, and we will automatically decode it.

At this point the true desire of the attackers becomes apparent – and costly – a 10,000 Ruble charge for undoing the damage they have done. (At today’s rate 10,000 Rubles converts to about £217, €250, or $326 USD. Not exactly ‘priced to sell’.)

We have also seen two types of encryption key used by this ransomware.

  1. Uses a Universally Unique Identifier (UUID) as the encryption key and renames it with an extension .FTCODE
  2. Uses a randomly generated string, 50 characters long and including 4 non alpha numeric values as encryption key and renames it with an extension .BTCODE. This key is generated using the GeneratePassword() command. This handy function takes 2 parameters: length of the password to create and the number of non-alphanumeric characters to include. Very useful if you have a hard time coming up with strong passwords by yourself.

But there’s good news. In both cases the encryption key can be recovered without paying for it. In fact, this can be done using the same PowerShell tool that the attackers used.

The first, UUID, key can be retrieved with this command.

Get-wmiobject Win32_ComputerSystemProduct UUID

The second with:

Gwmi win32_computerSystem Model

Thus the encryption keys can be relatively simple to retrieve by anyone who would rather not pay 10,000 Rubles/£217/€250/$326 to get their files back.

We always advise against paying the ransom to the criminals behind ransomware. Even if you pay there’s no guarantee that they will uphold their end of the bargain. It’s more likely that you’ll be left with a bunch of encrypted files and lighter wallet.

Sophos customers, take note that our security products detect these variants as Troj/Ransom-NY.

And if you want to know more about the inner-workings of ransomware, why not take a gander at our new technical paper “Ransomware: Next Generation Fake Antivirus” – no registration or Rubles required.

Windows image from Shutterstock.