The threat also opens another YouTube video in the background. The attackers did this to assist victims with paying the ransom.įigure 2.
#Powershell crypto locker how to
The ransom demand links to a legitimate video tutorial on how to obtain Bitcoins. The crypto ransomware targets files with the following extensions for encryption: This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers. The malware encrypts files using a random Advanced Encryption Standard (AES) key. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware. pdf file to trick users into thinking that the initial zip archive was not a malicious file.īased on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. The threat also downloads and opens a legitimate. This zip archive contains a malicious file called ‘PENALTY.VBS’ ( ) which when executed, downloads the crypto ransomware onto the victim’s computer. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared "I am the one who knocks."įigure 1. The malware authors cooked up their ransom demand message using the ‘Los Pollos Hermanos’ branding image found in the show. On analysis, we discovered that the theme used in this attack was styled around the now famous TV show Breaking Bad. The malware encrypts images, videos, documents, and more on the compromised computer and demands up to AU$1,000 (US$791) to decrypt these files. Symantec has learned of a new crypto ransomware threat ( ) that is infecting computers in Australia.