Fileless Ransomware: Powershell Netwalker

Good to see ransomware authors making their code tiny and efficient. Now only if Windows devs can follow suit

numbersandreality

I'm as about computer literate as a floppy disk but I like watching your channel to what crazy stuff hacker's come up with nowadays.

SammieJ

This is not file-less. If its a powershell script that's a file. If its a browser js, it is still a file your browser downloaded. If it is an office macro it is still a file.
File-less means either (or both) remote code execution and persistence on the network without files. The latter is only extremely advanced APT...

I could accept browser js as file-less as it is code execution and sandbox escape without explicit interaction from the user, even though the files are written to cache if anything, but a powershell script not. The files are there, embedded as base64.

JohnDoe-lnjp

It's actually a Base64 encoded string of commands, not "encrypted". Anyone with the source code can decode and get exactly what command it executes.

dingwen

We use monitoring tools at work that will alert us if a powershell command is run with any form of encrypted code, so if needed i assume we could also block those scripts as well. I did notice that it looks like the encrypted text is in base64 @0:58 so it should be possible to decode the string it encrypted (would be nice to get the full string and see what it is doing in the background, might be actually downloading and then running an actual binary thats the malware)

jjjacer

one of the first thing i do on configuration pcs (since 10y) is applying a SRP aka whitelist with gpo, (after finishing the image). White list blocks probably 99% of threats even without an AV software. its very easy to configure and a basic protection for all kind of stuff

kkx

When Microsoft announced Windows 10 S, today S-mode, they bragged that no known ransomware can infect it. Most only talk about it being limited to Windows Store apps. There is little coverage of S-mode, but one of its features is that it also blocks PowerShell, cmd.exe, and more from running.

Programmer

Could you make a video on how to disable powershell scripts safely for the standard user, Admin, and Super Admin please?

tsujack

I'm sorry, but why do you say that the string is encrypted? It's a Base64 encoded string, but it's not encrypted. You can just use any Base64 decoder to actually read its contents, meaning that you can absolutely read the ransomware's source code.

s_t

To protect yourself against this type of scripts and not disabling Powershell, You could allow ONLY signed PS scripts in your environment.

binaryblog

LOL since when encrypting and encoding is the same thing? the PowerShell script takes that BASE64 string decode it to ASCII and then run it.

everything-omzx

A lot wrong about terminology used here. The payload is not encrypted, it is encoded, which will fail against most modern AV. Also this is not fileless malware, it is in a .ps1 file. Powershell "fileless malware" is usually delivered using invoke-webrequest to download the file from a web server, load it into memory and then execute it, in this case the script is stored on the hard disk.

kbto

Trend Micro started to screw up my Windows File Explorer and Boxcryptor over the past 12 months and so I’ve uninstalled it and am now using Windows Defender. I’m not happy about that, but at least it gives me back a usable PC that I only just 2 years ago.

thebritishindian

You say at the end that this kind of ransomware can be detected by your sponsor Acronis, but at 3:00, we can see that Acronis has it as undetected. So, will Acronis protect against this? And I'm not talking about the backup protection Acronis can do, but the malware detection part.
Also, we have Norton on our system and it says that Symantec does detect it, I guess they are one and the same? Lastly, is there any reason not to disable powershell command on regular user computer? Thanks!

davidpepin

"This script file is a fileless ransomware" lol

gearfriedtheswmas

FYI: fileless virus resides in memory like RAM.

VB

Alright, this is actually scary. Because of this my browser java is off by default for years.
Questions
Pages like Wiki have many links. Are they get checkt? Is there a filter installed before someone saves the editing?

andyspark

What I want to know is if it is encrypted how does the OS execute it? Base64 is a hash not an encryption so it can be reversed and analyzed. I do also wonder why it doesn't get stopped by the execution policy of the OS? By default script execution is disabled in powershell so only typed commands work. I know you can get around it by using the rubber ducky USB but that is unlikely a method that is often used.

rationalbushcraft

How is this malware distributed?
How can you avoid even downloading it?

kim-hendrikmerk

Could you make a video about UEFI malware, how UEFI gets infected and how to defend against it?

schemata