A new ransomware program written in Windows PowerShell is being used in attacks against enterprises, including health care organizations, Network World is reporting today. The new ransomware program, dubbed PowerWare, is being distributed to victims via phishing emails containing Word documents with malicious macros, an increasingly common attack technique. The Phishing attack is described as being disguised as an “invoice” and has targeted an unnamed healthcare org. Here to comments on this news are security experts from InfoArmor, Lastline,Proficio and VASCO
Andrew Komarov, Chief Intelligence Officer, InfoArmor:
Windows PowerShell is actively used not just in ransomware, but in many malware samples related to cyber espionage. It provides very flexible functionality to work with a victim’s OS. Many bad actors use script-based scenarios due to the high level of of possible obfuscation and polymorphism in order to bypass security controls on Windows based environments.
Powershell is often one of those things we wish we could go back and unmake! Originally built as an automation tool, it has become one of the attackers tools used. In this case the Macro in the word document calls Powershelgl which then executes a variety of tasks including the downloading and execution of a ransomware script. The Powershelgl script itself is not the malware, its simply the easiest way to retrieve and deliver its payload. Very few users need the use of macros in their office documents. Users should always disable macros or, even better, not open files with macros unless they are 100% certain the file is not malicious. If they receive a file with macros and are unsure, they should contact their IT department to investigate the file. Home users should simply delete the file and move on.Ransomware is a particular class of malware that encrypts the files on a victim’s computer, rendering their files inaccessible. The victim is forced to pay a ransom to regain access, which is what a number of public companies have done recently. A new ransomware strain called Cerber has been in the news for the last few weeks. It is getting a bit of news coverage because it makes novel use of PC speaker and text-to-speech to notify the user their files have been encrypted. We have see other examples or ransomeware that moved rapidly including Teslacrypt which encrypted 10’s of thousands of files in just a few minutes. Fortunate for the customer they had us in a POC so while we were not setup to block the attack we were able to alert them unlike any of the other technologies they had installed or the other vendors in the POC.
The business is the same – encrypt files and demand a ransom, but now cybercriminals are creating new variations of ransomware with PowerWare and Locky using macros to initiate their attacks. We recommend that enterprises step up their vigilance for phishing attacks, disable macros, and – of course – backup their systems. This can be accomplished internally or through a managed security services provider for industrial-strength security.Cybercriminals are clearly targeting healthcare organizations with ransomware attacks. The disruption of patient care as a result of ransomware attacks is a huge risk for healthcare organizations and a bigger concern than the cost of a ransom alone. We recommend healthcare organizations ensure their employees are on the lookout for phishing attacks and monitor their security events around-the-clock. And, of course, backup their data and systems.
The healthcare segment now finds itself in the crosshairs of the same criminal hacking organizations that have been attacking banking organizations for the past decade. This should allow the healthcare organizations to respond and defend themselves much more quickly, but it will also mean a significant increase in their investment in IT security. Consider that some of the largest banks now spend close to a half-billion dollars a year on IT security and healthcare organizations spend only a fraction of that at present.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.