14 DAY TRIAL // Ransomware has become a highly efficient method to make an illegal profit. However, that doesn’t mean cybercriminals have given up on employing new tactics to improve their schemes as much as possible.
An interesting piece of ransomware uncovered by Sophos researchers uses Windows PowerShell – the scripting language which allows system administrators to automate the tasks they want to run on their networks – in order to encrypt the victims’ files and hold them hostage until the ransom is paid.
The malicious element is distributed as an HTA file attached to spam emails. One of the scripts contained in the HTA file checks if Windows PowerShell is installed on the infected system.
If it’s not present, an installer is downloaded from Dropbox and executed. It’s worth noting that PowerShell is installed by default in Windows 7 and later variants, but it can be installed manually on earlier versions as well.
The second script contained in the HTA file is a PowerShell script that performs the file encryption by using the “Rijndael symmetric key encryption.”
The ransomware looks for 163 specific file extensions, ones that might hold some important data, such as documents, videos and pictures.
Once the files are encrypted, a text file called “READ_ME_NOW.txt” is dropped. It contains a message, in Russian, instructing victims to visit a website if they want to recover their files.
The website tells victims to upload the “READ_ME_NOW.txt” file which apparently contains a “code.” After the file is uploaded, users are told to pay 10,000 Rubles (around $326, or 250 EUR) if they want to recover their files.
In some cases, after being hit by such ransomware, it’s almost impossible to recover the files without paying because of the strong encryption algorithm. However, in this case, the encryption key can be recovered by using PowerShell.
There are two encryption keys: a Universally Unique Identifier (UUID) stored in a .FTCODE file, and a randomly generated 50-character string stored in a .BTCODE file.
The first key can be recovered with the “Get-wmiobject Win32_ComputerSystemProduct UUID” command, while the second can be obtained with the “Gwmi win32_computerSystem Model” command.