Carbon Black last week released a report that PowerShell is being used in RansomWare attacks. Why is this important? By using PowerShell the RansomWare can be 100% diskless, meaning no malware binary needs to be dropped onto the system and stored on disk. It can, but does not have to, it just uses PowerShell commands to encrypt your data!
So how do you detect this condition or attack?
First, the malware is delivered in Malicious Word documents, so your email gateway might be able to scan and execute these type of documents. Most Email gateways do not detonate attachments without a usually expensive add-on feature, but of course, more $$$.
You can enable logging per the "Windows Logging Cheat Sheet" found here:
And once your logs and auditing is configured, alert on the following with your Log Management solution;
1. Execution of VSSAdmin.exe
2. Execution of a PowerShell bypass
VSSAdmin is used to delete the volume shadow copies from your system by the RansomWare to make recovery without backups impossible. The PowerShell bypass is used to bypass any restrictions you might have to keep PowerShell scripts from running. Yes, Microsoft incldued a backdoor to execute PowerShell commands... YAY #FAIL
You would look for the following in the 'Process Command Line' being executed;
- ExecutionPolicy bypass -noprofile
- and possibly -windowstyle hidden
Prevention - Whitelisting:Whitelisting is about the only protection you have from RansomWare other than GREAT backups!!!
You can setup Software Restriction Policies found on all versions of Windows except Windows Home versions for FREE! Just deny execution of:
- You can do this for other directories too and make exceptions for what you want to execute
Both Software Restriction Policies and AppLocker write blocks or potential blocks to their respective logs. The Application Log for Software Restriction Policy violations and the AppLocker 'EXE and DLL' Log under Applications and Services - Microsoft Windows log.
There you go, you better start logging PowerShell if you are going to keep up with the malwarians and this Crypto RansomWare!
Carbon Black article on PowerWare
#InfoSec #IncidentResponse #RansomWare