Recently, security researchers at the Antivirus firm TrendLabs have unearthed another sophisticated variant of the ransomware malware which is employing Windows PowerShell in an effort to encrypt files on the victims' computer. The firm detected the variant as TROJ_POSHCODER.A.
Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. It provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and CIM enabling management of remote Linux systems and network devices.
It is believed that cybercriminals have used this feature of Windows just in order to make the detection and analysis of the malware harder on an affected system. However, they failed at this point as using Windows PowerShell feature made it much easier for the researchers to detect the malware.
"In this case, using PowerShell made it easier to detect as this malware is also hard-coded," reads the blog post. "Decrypting and analyzing this malware was not too difficult, particularly compared to other ransomware variants."
TROJ_POSHCODER.A is a script-based malware as it is using the Windows PowerShell feature. The malware makes use of the Advanced Encryption Standard (AES) to encrypt the files, and RSA-4096 public key cryptography to exchange the AES key with the victims in order to decrypt the files.
Once the ransomware is installed and executed on the victim's Windows System, it encrypts the existing files on the infected system and then renames them to {filename}.POSHCODER. In Addition, it also drops UNLOCKYOURFILES.html into every folder.
As soon as all the files on the infected system are encrypted, it displays a message to victims saying "Your files were encrypted and locked with a RSA4096 key" and ask them to follow some given instructions in order to decrypt their files as shown in the screenshot:
The instructions in the Ransom note takes users to another page as shown below, asking victims to download the Multibit application to have their own Bitcoin-wallet account for 1 Bitcoin.
After victims purchase the application, they are instructed to fill and submit the form that contains information such as victims' email address, BTC address and ID, as a result to get decryption keys from the threat actors. This new variant have primarily affected English speaking targets in the United States.
In our previous articles, we highlighted many variants of Cryptolocker and other similar threats that has ability to perform additional tasks such as using different languages in their warning and stealing virtual currency from cryptocurrency wallets.
In our previous articles, we highlighted many variants of Cryptolocker and other similar threats that has ability to perform additional tasks such as using different languages in their warning and stealing virtual currency from cryptocurrency wallets.
CryptoLocker is especially dangerous because of its infection rate and it is the most damaging Windows virus in a series of recent ransomware Trojans.
We also reported last month that cybercriminals have now begun targeting Smartphones with a special piece of malicious software that locks up the devices until the victims pay a ransom to get the keys to unlock the phone, which highlights how money motivated criminals are continuously improving these threats over time.
What Steps can you take to reduce the risk of your equipment becoming infected? Users are advised to never open email attachments from unknown sources and make backup of your important data to an external device or on the cloud storage. If you believe you have been infected, act quickly. Stay Safe!
What Steps can you take to reduce the risk of your equipment becoming infected? Users are advised to never open email attachments from unknown sources and make backup of your important data to an external device or on the cloud storage. If you believe you have been infected, act quickly. Stay Safe!
