Ransomware

Share this post

PowerShell: Great Ransomware Tool or Greatest Ransomware Tool?

ransomwaresommelier.com

Discover more from Ransomware

My thoughts about ransomware
Continue reading
Sign in

PowerShell: Great Ransomware Tool or Greatest Ransomware Tool?

Part 1 of a 3 Part Series

Allan Liska
Sep 19, 2023
1
Share this post

PowerShell: Great Ransomware Tool or Greatest Ransomware Tool?

ransomwaresommelier.com
Share

It is almost impossible to talk about ransomware attacks without talking about PowerShell. The use of PowerShell is ubiquitous in ransomware campaigns at almost all phases of attack from initial access, to network scanning, to data theft and even encryption.

This is the first of a 3 part series. In this post I am going to go over how IABs and Ransomware operators use PowerShell during attacks. The next post will cover how to limit access to PowerShell in your network and the 3rd post will cover how to threat hunt for malicious PowerShell usage.

Thanks for reading Ransomware! Subscribe for free to receive new posts and support my work.

Why does this malware have an umbrella? Image credit JulsIst

The use of PowerShell starts with initial access. For example, Palo Alto’s Unit 42 documented IcedID’s use of PowerShell during the installation phase. After a victim downloads the trojanized malware it executes a PowerShell script to download the IcedID loader.

The Ukraine Cert documents the use of PowerShell during the installation of SmokeLoader. The installation includes a JavaScript file that uses a PowerShell script to download the malicious executable.

On the ransomware operator side, CISA reports that the BianLian ransomware group uses PowerShell to disable security tools using the following code:

[Ref].Assembly.GetType(‘System.Management .Automation.AmsiUtils’).GetField(‘amsiInitFaile d’,’NonPublic,* Static’).SetValue($null,$true)

Unit 42 also documents how Vice Society used a PowerShell script to automate the process of exfiltrating files from victim networks.

LockBit has also used PowerShell to distribute and execute their ransomware payload. The team at Packt does a nice job of documenting those LockBit scripts.

While these examples are specific to these ransomware groups, the reality is that many different groups use PowerShell to carry out the same tasks and more. Securing PowerShell in your network and hunting for malicious used of PowerShell can go a long way to protect you from ransomware attacks. I’ll talk more about how to do that in the next two posts.

Thanks for reading Ransomware! Subscribe for free to receive new posts and support my work.

1
Share this post

PowerShell: Great Ransomware Tool or Greatest Ransomware Tool?

ransomwaresommelier.com
Share
Top
New

No posts

Ready for more?

© 2023 Allan Liska
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing