Skip to content ↓ | Skip to navigation ↓

Security researchers have detected a ransomware variant in the wild that is employing Windows PowerShell, the task automation and configuration management tool for local and remote Windows systems, in order to encrypt files.

“We recently encountered another variant that used the Windows PowerShell feature in order to encrypt files. This variant is detected as TROJ_POSHCODER.A,” wrote Mark Joseph Manahan.

“Typically, cybercriminals and threat actors have used Windows Powershell to go undetected on an affected system, making detection and analysis harder. However, in this case, using PowerShell made it easier to detect as this malware is also hardcoded. Decrypting and analyzing this malware was not too difficult, particularly compared to other ransomware variants.”

Manahan says that the ransomware is somewhat unique in that it is script-based, using AES to encrypt the files and RSA4096 public key cryptography as the mechanism to exchange the AES key, then adds registry entries and encrypts files, inserting UNLOCKYOURFILES.html into each folder before displaying a message to the infected user with instruction on how to recover the data.

“Once users followed the instructions stated in the ‘ransom note,’ they will see the image below informing them to install the Multibit application that will allow them to have their own Bitcoin-wallet account for 1 Bitcoin,” Manahan said.

“When they purchase the application, they are instructed to submit the form that contains information like email address, and BTC address and ID. Users will supposedly get the decryptor that will help encrypt the files.”

POSHCODER is currently targeting English speaking targets in the United States, but we can expect it will be adapted to focus on other potential victims in time.

Read More Here…