Skip to content

Who’s afraid of new Windows ransomware using PowerShell?

April 4, 2016


According to network security company Carbon Black, a new kind of ransomware has been discovered which is exploiting the PowerShell scripting language that has been built into the Windows operating system since 2006.

This new ransomware, which Carbon Black has dubbed “PowerWare”, is limited to affecting Windows computers, beginning with Windows XP running Service Pack 2 (when PowerShell was introduced). Furthermore it should only be an issue where users have deliberately escalated the default execution policy of PowerShell scripts.

This suggests that the malware is less aimed at ordinary Windows users than at Windows computer networks where administrators are more likely to have loosened the restrictions on PowerShell scripts.

However, it also requires users to be dumb enough, not only to open Word Documents received in email over the Internet but also to physically turn off Microsoft’s Protected View mode (designed to protect users from Word documents received over the Internet). And this hardly sounds like network administrators to me.

After all these years, a macro in a Word doc still catches people?


In March of 1999, the Melissa macro virus (just a macro script hiding in a Microsoft Word document) began propagated through email attachments until it had infected something like 20 percent of all Windows computers.

Almost exactly 17 years later, this new PowerShell-exploiting ransomware begins with a macro script hiding in another Word document attached to an email message.

However, in the wake of Melissa and dozens of subsequent scripting viruses, Windows now opens all Word documents originating from the Internet in yellow-bannered Protected View, which renders them read-only and insures that any macro scripts and executable content they may contain cannot run.

Carbon Black says that the malicious Word Documents explicitly tell users to click the “Enable Editing” button in the yellow banner. This turns off Protected View and allows the Word document’s macro to launch two instances of PowerShell, which will, in their turn, try to download and install the ransomware.

By rights though, the process should grind to a halt right there for the vast majority of Windows users.

PowerShell, which is a command-line environment running behind the Windows Graphic User Interface, for the benefit of systems administrators and other power users, is supposed to be set—by default—not to run any downloaded PowerShell scripts.

As soon as I read the post on Carbon Black’s website, I double-checked to confirm that this was the default PowerShell execution policy on my Windows 8 laptop.

This involved going to the Windows Start Search and typing “Powershell” to find and launch Windows PowerShell.

Theoretically, even if I stupidly allowed a Word document to run a macro script, the PowerShell scripts still wouldn't run.

At the blinking prompt in the black window that appeared, I typed “Get-ExecutionPolicy” and hit the Enter key. This returned the word “Restricted” which meant that yes, my Windows computer would not run any PowerShell scripts, downloaded or otherwise.

There are actually four PowerShell execution levels to choose from:

  • Restricted—No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned—Only scripts signed by a trusted publisher can be run.
  • RemoteSigned—Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted—No restrictions; all Windows PowerShell scripts can be run.

The level can be changed in PowerShell by typing “Set-ExecutionPolicy” followed by a space and one of the four levels, typed exactly as shown above. Windows only asks for a “Y” (“yes”) and “Enter” to confirm the change, whereas Linux would certainly require the user’s password to validate such an escalation of user privilege.

The bottom line is that this ransomware appears to only affect the small percentage of Windows users that will have turned on PowerShell script execution.

Ransomware is growing but it’s still a Windows thing

Ransomware is a expanding category of malicious software designed to take illegal control of a computer device away from its legitimate owner. This is usually accomplished by somehow encrypting access to the files. Users are then directed to pay a ransom in bitcoins in order to get the numeric key needed to decrypt their files and regain control of their computer.

So far, ransomware has principally targeted institutional Windows users, such as government agencies and police departments (especially small U.S. police departments):

The new ransomware identified by Carbon Black fits this pattern because it clearly exploits a feature principally used by system administrators looking after networked Windows computers.

In fact, almost all of the known ransomware programs target Windows-based computers. The first fully functional ransomware aimed at Mac OS X was discovered and taken down by Apple only this month. And so far, attempts to create ransomware targeting Linux have been easy-to-crack failures. The first true encryption ransomware for Android, called Simplocker ,appeared two years ago in 2014 but it’s unclear how many more have appeared since then or if there is even one ransomware app targeting iOS.

Nothing to fear about ransomware except fear itself

The prospect of having all the files on one’s laptop computer, or computer network for that matter, suddenly becoming inaccessible because of a ransomware attack might seem frightening and certainly the FBI has been pumping up the fear of ransomware as part of its war against encryption.

However, I would argue that it serves no useful purpose to think of ransomware as a crime or as terrorism or anything other than a kind of potential hard drive failure.

It’s certainly true that any computer users that are properly equipped with backup solutions that protect them against data loss through hard drive failure have little or nothing to fear from ransomware.

We could all potentially avoid ransomware and almost all other kinds of malware on the Internet if we only followed three simple rules:

  1. Never download anything off the Internet.
  2. Never open email attachments.
  3. Never click links in email.

The first rule is tantamount to staying off the Internet altogether (which is a thought) and the second and third rules are difficult to stick to if you have any friends or if you need to collaborate with others on work projects.

The only surefire and practical safeguard against ransomware and the worst malware is to routinely make a backup image of your healthy hard drive to an external USB drive, using a disk imaging utility, such as Acronis True Image (USD$49.99) for Windows, or Carbon Copy Cloner (USD$40) for Macintosh. With this sort of insurance in your hip pocket, you needn’t fear a hard drive crash, ransomware, or any other major malware infection.

Obviously such a backup scheme should be an absolute necessity for larger organizations and I have no sympathy for any of the police departments or other public institutions that have been caught flatfooted by ransomware simply because they neglected their responsibility to properly back up their servers and networks. They got off cheap.

If I sound a bit preachy on the subject it’s because in the 12 years that I did purely computer-based graphic design for a living, I took backups quite seriously and lost exactly 12 kilobytes (one GIF file) to three hard drive failures.

For cost-conscious single users, there are free imaging utilities available for every platform that will do the job of both imaging and restoring hard drives perfectly well but these are never quite as easy to use, or as full-featured, or as well-documented as their commercial equivalents.

And you will still need to at least buy an external hard drive that equals the size of the internal hard drive that you are imaging.

Here are step-by-step instructions for using Mac OS X’s built-in Disk Utility to image a Mac hard drive. And HowToGeek has provided good instructions for using Macrium Reflect Free to image a Windows hard drive. And there is always Clonezilla Live, a free open source Linux tool that you boot your computer off, which can be used to create an image of most any hard drive (and restore same), whether it’s formatted with a version of Windows, Linux, Unix or Mac OS X. Click the images to enlarge them.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: