We’re huge fans of the flexibility of Windows’ PowerShell scripting language, but we’ve never contemplated using it to write malware. That hasn’t stopped one group of enterprising criminals building PowerShell-based ransomware aimed at Russian computer users, but fortunately it turns out PowerShell can also be used to remedy the issue.
Sophos’ Naked Security blog details how the software works: it installs a PowerShell script (downloading PowerShell if it’s not already on the system), uses it to encrypt files on the target machine, and then demands a payment of more than $300 to unencrypt that data. Nasty.
Fortunately, as the post points out, undoing the actions of the malware is also possible using PowerShell:
In both cases the encryption key can be recovered without paying for it. In fact, this can be done using the same PowerShell tool that the attackers used.
Hit the post for a more detailed description of the malware and how to remove it (if your existing security solution didn’t already detect and block it).
Russian ransomware takes advantage of Windows PowerShell [Naked Security]