Ransomware is one of the most blatant and obvious money making schemes for cybercriminals and it was most likely to be known when last year Cryptolocker ransomware targeted millions of computers worldwide.





TrendLabs have Windows PowerShell in an effort to encrypt files on the victims' computer. The firm detected the variant as TROJ_POSHCODER.A. Recently, security researchers at the Antivirus firmhave unearthed another sophisticated variant of the ransomware malware which is employingin an effort to encrypt files on the victims' computer. The firm detected the variant as





Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. It provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and CIM enabling management of remote Linux systems and network devices.





It is believed that cybercriminals have used this feature of Windows just in order to make the detection and analysis of the malware harder on an affected system. However, they failed at this point as using Windows PowerShell feature made it much easier for the researchers to detect the malware

"In this case, using PowerShell made it easier to detect as this malware is also hard-coded," reads the blog post. "Decrypting and analyzing this malware was not too difficult, particularly compared to other ransomware variants."





TROJ_POSHCODER.A is a script-based malware as it is using the Windows PowerShell feature. The malware makes use of the Advanced Encryption Standard (AES) to encrypt the files, and RSA-4096 public key cryptography to exchange the AES key with the victims in order to decrypt the files.





Once the ransomware is installed and executed on the victim's Windows System, it encrypts the existing files on the infected system and then renames them to {filename}.POSHCODER. In Addition, it also drops UNLOCKYOURFILES.html into every folder.





Your files were encrypted and locked with a RSA4096 key" and ask them to follow some given instructions in order to decrypt their files as shown in the screenshot:

As soon as all the files on the infected system are encrypted, it displays a message to victims saying "" and ask them to follow some given instructions in order to decrypt their files as shown in the screenshot:

The instructions in the Ransom note takes users to another page as shown below, asking victims to download the Multibit application to have their own Bitcoin-wallet account for 1 Bitcoin.