Search This Blog

Tuesday, March 29, 2016

PowerShell RansomeWare via Word Docs starting to rear its ugly head - completely detecable

Carbon Black last week released a report that PowerShell is being used in RansomWare attacks.  Why is this important?  By using PowerShell the RansomWare can be 100% diskless, meaning no malware binary needs to be dropped onto the system and stored on disk.  It can, but does not have to, it just uses PowerShell commands to encrypt your data!

So how do you detect this condition or attack?

First, the malware is delivered in Malicious Word documents, so your email gateway might be able to scan and execute these type of documents.  Most Email gateways do not detonate attachments without a usually expensive add-on feature, but of course, more $$$.

You can enable logging per the "Windows Logging Cheat Sheet" found here:
 And once your logs and auditing is configured, alert on the following with your Log Management solution;

1.  Execution of VSSAdmin.exe
2.  Execution of a PowerShell bypass

VSSAdmin is used to delete the volume shadow copies from your system by the RansomWare to make recovery without backups impossible.  The PowerShell bypass is used to bypass any restrictions you might have to keep PowerShell scripts from running.  Yes, Microsoft incldued a backdoor to execute PowerShell commands... YAY #FAIL

You would look for the following in the 'Process Command Line' being executed;
  • ExecutionPolicy bypass -noprofile
  • and possibly -windowstyle hidden
The first bullet will definitely alert you to PowerShell nefarious behavior, the hidden window may be used by admins to do maintenance items, so secondary on the alert.

Prevention - Whitelisting: 

Whitelisting is about the only protection you have from RansomWare other than GREAT backups!!!
You can setup Software Restriction Policies found on all versions of Windows except Windows Home versions for FREE!  Just deny execution of:
  • C:\Users\* 
  • You can do this for other directories too and make exceptions for what you want to execute
You can also use AppLocker to block an unknown executable or script.  AppLocker requires Windows Ultimate or Windows Enterprise.  There is an audit mode for AppLocker so you can test and allow what normally runs before enforcing the policy to block.

Both Software Restriction Policies and AppLocker write blocks or potential blocks to their respective logs.  The Application Log for Software Restriction Policy violations and the AppLocker 'EXE and DLL' Log under Applications and Services - Microsoft Windows log.

There you go, you better start logging PowerShell if you are going to keep up with the malwarians and this Crypto RansomWare!

Carbon Black article on PowerWare 

Happy Hunting

#InfoSec #IncidentResponse #RansomWare