Ransomware - just how do they do it

(Edwin Eekelaers) #1

After reading a new blog post from @stus i started thinking why in the world haven’t they considered powershell yet. Honesty forces me to say that i’ve been thinking about this a few weeks now not for the purpose of being the first one here to make a new strain of Ransomware but to figure out how they go at it.

Has anyone had those thoughts yet ( wanting to know how it works ) in order to protect oneself better?

Based on an old blog from Dave Wyatt found in Microsofts Script center , combined with a post found on the Idera community pages and a bit of home brew code i’m pretty sure one can create something with equal destructive powers. If you want to read that blog on Idera then go to the link provided and search for “Remotely Executing Applications on Behalf of Someone Else”

So assuming you can get the job to execute under someone else’s credentials you should be able to access different sets of files and wouldn’t even be requiring admin privileges. Then populate a list of assigned drive letters and for each of the one found you start executing the nasty bit.
The proverbial pot of gold would be off course if you were able to execute the code on a machine where someone’s logged in with Domain Admin credentials or even worse Enterprise admin.
That’s why some keep nagging to give users as little access as possible in order to do their job. The more they get the bigger the risk becomes.

You may notice that i do not post code this time as i don’t want to give anyone the code that might be used for this. I’d like to use this to start a discussion from which we all can learn how to protect ourselves better.

(Will Jeansonne) #2

Hi Edwin,

It’s not the medium so much that Stu or KnowBe4 focuses on, it’s the end result of malware and phishing attacks that it helps try to prevent. That is, KnowBe4 is a security training and awareness outfit more than anything else and focuses on the human aspect of information security at this point in time. That’s not to say there won’t be products or services that directly address PowerShell, PHP and hacker tools of choice, just not now. :wink:

(Edwin Eekelaers) #3

I know that off course @Will but in my humble way i am trying to kick some chins and wake up people to the fact that too many things are possible. In order to keep it nice to the community i am not posting the code i have in my possession. The only way people can understand security truly is if they know how bad things can happen. As part of my quest for knowledge and ability to help people secure themselves against these bad things i am looking into it in an enclosed off the grid way. Once i understand the methods behind it i can be a better help to others. Hope i didn’t overstep the boundaries here. My idea is that one has to know how the enemy works in order to protect oneself better against them.To explain it further to anyone who reads this. I have only one year’s worth of experience in coding and if with that limited knowledge i can design something that does bad things then it means there is a long way to go to protect us against these things and that is part of the training. In short and to paraphrase the X-Files. Trust no-one.

(Kevin Hargrove) #4

Hackers are already using PowerShell and have been since it was released. If you look at reports from Carbon Black from last year, 68% of their customer base that was surveyed indicated they had encountered PowerShell as part of an attack. Endpoint security providers don’t really address PowerShell. Having said that, 87% of those attacks were the result of click-fraud, ransomware, fake anti-virus programs, and good old social engineering. The real threat vector was the human on the end of the keyboard or lax system administrators that allowed unpatched code to be exploited in a drive-by attack. The hackers have an array of tools that can be used to penetrate systems and the list only continues to grow. In the end, it seems however that humans are still the weakest link in the chain regardless of the tools hackers choose to use. Develop a security application that can eliminate human error, sign me up as a tester, and we’ll all retire!

(Edwin Eekelaers) #5

Now that is the kind of answer i was looking for. In general those thugs use a java code triggered from a social engineered mail to trigger a download from PS code with its bad payload.
I have been pondering ( and my initial writeup may have been expressed not entirely the way it should have been because i am in essence a script geek ). So yes please keep spilling ideas and thoughts. It could lead to a better understanding for all of us about the dangers and how we can protect ourselves. In my studies i have been baffled how easy it is to write code that has malicious intent. Therefor you will not be seeing the code as that would be not the true idea why i wrote this.

(Warren White M.S. Cybersecurity) #6

Thank you, Edwin!

I have learned that the best way to retain information on anything is to simply learn more about it. That way, something has to stick or at least there is a better chance that you will remember something about it. I am new to the script world and want to learn more about it. What better way to defend against something than to know exactly how it happened in the first place. I now have new goals in mind to help me achieve a better understand of what is out there and areas to focus on so that I am not wandering around the Internet. Good topic.