Ransomware Users Windows Power Shell to Infect Victims Files

Security firm Sophos have disclosed a fascinating piece of ransomware that uses Window Power Shell- the scripting language that permit system administrators to mechanize the work they desire to execute on their networks - to encrypt the victims' files and grip them hostage until the payoff is compensated.

The malevolent element is distributed as an HTA (HTML Application) file connected to fake e-mails. Among one of the scripts that are included in the HTA file verifies whether Windows Power Shell is installed on the encrypted system.

If it's not here, from Dropbox, an installer is being downloaded and implemented. It's not worth observing that Power Shell is fixed by default in Windows 7 and later types, but it can be installed by hand on prior versions as well.

The second script included is a Power Shell script which runs the file encryption via "Rinjdael symmetric key encryption."

About 163 types of files are aimed - documents, spreadsheet, images, videos - any form of document in which a person might keep precious details.

A message would be displayed by the users informing about their files have been infected, and they are required to code to undo them when the script has done its dirty work.

To retrieve the code, the user has to make a payment of 10,000 Rubles to the attacker.

The researchers found the files can be decoded without offering the ransom. That does due to the code can be decoded via the application that infected the file:PowerShell.

The ransomware utilizes either one of two kinds of encryption keys. One utilizes a UUID (Universally Unique Identifier) via the encryption key; the other, a arbitrarily generated key that's 50 characters long.

The initial key can be regained with the "Get-wmiobject Win32_ComputerSystemProduct UUID" command, although the second can be attained with the "Gwmi win32_computerSystem Model" command.

"We (Sophos) always suggest against paying the ransom to the criminals behind ransomware. Even if after paying there's no guarantee that they will uphold their end of the bargain. It's more probable that you'll be left with a many of encrypted files and lighter wallet," the security firm concluded.

Related article: Ransomware Trojan Asks for $300 for Giving User Data Back

» SPAMfighter News - 3/12/2013