BUSINESS TECHNOLOGY MEDIA COMPANY
Companies
Sectors
Malware

New ransomware found via MS Word, PowerShell

Read time 4min 40sec
ITWeb Security Summit 2016

Don't miss the definitive event for security professionals:
17-18 May (conference and expo), 19 May (workshop)
Vodacom World, Midrand
Book today!

IT security researchers have discovered a new family of ransomware that targets organisations via Microsoft Word and PowerShell. PowerShell is the scripting language inherent to Microsoft operating systems.

The Carbon Black Threat Research Team, based in Massachusetts, has dubbed this new malware family PowerWare, which they say is a new instance of ransomware utilising native tools, such as PowerShell, on operating systems.

PowerWare is being distributed to victims via phishing e-mails containing Word documents with malicious macros, an increasingly common attack technique. The phishing attack is being disguised as an invoice.

According to the researchers, traditional ransomware variants typically install new malicious files on the system, which, in some instances, can be easier to detect. However, PowerWare asks PowerShell, a core utility of current Windows systems, to do the dirty work.

By leveraging PowerShell, this ransomware attempts to avoid writing new files to disk and tries to blend in with more legitimate computer activity.

"Deceptively simple in code, PowerWare is a novel approach to ransomware, reflecting a growing trend of malware authors thinking outside the box in delivering ransomware," says Carbon Black.

It points out the prevalence and popularity of ransomware in recent months has been staggering, with thousands of organisations paying ransoms to unlock their encrypted files.

The prevalence and popularity of ransomware in recent months has been staggering, says the Carbon Black Threat Research Team.
The prevalence and popularity of ransomware in recent months has been staggering, says the Carbon Black Threat Research Team.

"Our research found PowerWare is delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to spawn 'cmd.exe', which in turn calls PowerShell with options that will download and run the malicious PowerWare code. In an interesting twist, PowerWare authors initially ask for a $500 ransom, which increases to $1 000 after two weeks," says Carbon Black.

Crippling effect

Cyber security company Kaspersky Lab says ransomware continues to cripple businesses despite heightened awareness.

The CryptoLocker ransomware, for example, is believed to have infected more than 234 000 computers worldwide, the security solutions vendor says.

"The global cyber threat landscape continues to expand and cyber criminals have discovered the malicious encryption of data, followed by a ransom demand, can be highly profitable. Many companies admit they often just pay up," says David Emm, principal security researcher at Kaspersky Lab.

"Ransomware attacks are profitable and increasingly popular with cyber criminals. Businesses often pay up without realising there is no guarantee their data will be unlocked when they do - and there is evidence that poorly-coded ransomware can mean some information is never recovered," he adds.

Ransomware is way too profitable to vanish, says Kaspersky Lab Africa's Riaan Badenhorst.
Ransomware is way too profitable to vanish, says Kaspersky Lab Africa's Riaan Badenhorst.

Emm points out the best way to protect the company's data and assets is to implement comprehensive cyber security measures that cover everything from infrastructure and storage to mobile networks - all accompanied by employee awareness and education.

"Furthermore, it's essential that data is backed up regularly, so the company doesn't find itself in the invidious position of having to choose between paying the ransom or losing data."

Riaan Badenhorst, MD of Kaspersky Lab Africa, says ransomware is way too profitable to vanish.

"It is here to stay - the only thing that changes is how cyber criminals implement it. Ransomware creators are constantly improving their products and implementing more and more evil techniques to escalate their profit."

For example, he explains, modern ransomware hides its command servers in Tor, which makes it really hard for cyber investigators to recover encryption keys. "What's more, criminals even offer customer support to help their victims make payments easily. Not to mention that extortionists work hard on 'distribution solutions' for their malware ? spam and phishing campaigns, huge botnets, etc."

SA targeted

The ransomware and cyber bullying onslaught is gaining momentum worldwide, and South African businesses are falling victim too, says Paul Williams, major account manager at Fortinet.

He points out that while high-profile hacks may dominate headlines, un-publicised attacks are taking place against individuals and companies all the time. "We are seeing more and more targeted attacks happening locally."

The ransomware and cyber bullying onslaught is gaining momentum worldwide, says Fortinet's Paul Williams.
The ransomware and cyber bullying onslaught is gaining momentum worldwide, says Fortinet's Paul Williams.

Williams cites two recent attacks against local companies, where Fortinet was called in to assist. "In both cases, the ransomware came in via e-mail attachments that looked legitimate to the users who received them. The malware could be hidden in an Excel spreadsheet or docx file, and the only clue that the mail was suspicious would come from analysing the sender address."

He explains the users opened the attachments and their machines were locked down by the malware. In one case, the attackers wanted a large sum of money transferred to an anonymous account, while in the other, the demand was for a slightly lesser amount transferred to an anonymous account.

In these cases, the affected companies had backed up the machines, so they reformatted the affected machines and did not pay the ransom. Williams says he is not aware of any company actually paying the ransoms demanded, but attacks such as these do present a risk for substantial losses and reputational damage, and underline the need for stepped up security and awareness within companies.

Login with