A new ransomware program written in Windows PowerShell is being used in attacks against enterprises, especially healthcare organizations.
The ransomware, dubbed PowerWare, is being distributed to victims via phishing emails containing Word documents with malicious macros, an increasingly common attack technique. The phishing attack is being disguised as an "invoice.”
According to Carbon Black, PowerWare targets organizations via Microsoft Word and PowerShell. PowerShell is the scripting language inherent to Microsoft operating systems.
“PowerWare is a new instance of ransomware utilizing native tools, such as PowerShell on operating systems,” the company said in an advisory. “Traditional ransomware variants typically install new malicious files on the system, which, in some instances, can be easier to detect. PowerWare asks PowerShell, a core utility of current Windows systems, to do the dirty work. By leveraging PowerShell, this ransomware attempts to avoid writing new files to disk and tries to blend in with more legitimate computer activity.”
Deceptively simple in code, PowerWare is a novel approach to ransomware, reflecting a growing trend of malware authors thinking outside the box in delivering ransomware.
"Windows PowerShell is actively used not just in ransomware, but in many malware samples related to cyberespionage,” said Andrew Komarov, chief intelligence officer at InfoArmor, in an email. “It provides very flexible functionality to work with a victim's OS. Many bad actors use script-based scenarios due to the high level of possible obfuscation, and polymorphism in order to bypass security controls on Windows based environments."
Brian Laing, VP of business development and products at Lastline, explained how it works, via email: "Powershell is often one of those things we wish we could go back and unmake! Originally built as an automation tool, it has become one of the attackers’ tools used. In this case, the macro in the word document calls Powershelgl, which then executes a variety of tasks including the downloading and execution of a ransomware script.”
The Powershelgl script itself is not the malware, its simply the easiest way to retrieve and deliver its payload. The development shows that cyber-criminals are creating new variations of ransomware using macros to initiate their attacks.
Enterprises should step up their vigilance for phishing attacks, should disable macros, and—of course—backup their systems.
“Very few users need the use of macros in their office documents,” said Laing. “Users should always disable macros or, even better, not open files with macros unless they are 100% certain the file is not malicious. If they receive a file with macros and are unsure, they should contact their IT department to investigate the file. Home users should simply delete the file and move on."
Photo © Leo Wolfert