PowerSniff Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 7 |
| First Seen: | April 6, 2016 |
| Last Seen: | February 27, 2023 |
| OS(es) Affected: | Windows |
The PowerSniff Ransomware is a ransomware Trojan that abuses macros and the Windows Powershell to infect computers. The PowerSniff Ransomware is being used in attacks in the United States and Europe. Although the PowerSniff Ransomware is not being used against specific targets, the PowerSniff Ransomware infections have been targeted towards certain industries and sectors actively, while avoiding others.
Table of Contents
The Distribution and Infection Methods Used by the PowerSniff Ransomware
The PowerSniff Ransomware takes advantage of Powershell and macro vulnerabilities on targeted computers, a method of attack that has increased in popularity in the last year. The PowerSniff Ransomware may be distributed using corrupted email attachments through spam emails. Thousands of email messages containing the PowerSniff Ransomware have been sent in the last few weeks. There are several reasons why the PowerSniff Ransomware corrupted email attachments have been particularly effective in reaching their targets:
- The PowerSniff Ransomware phishing email messages may contain specific information about the target that include the target's name, phone number and company data.
- The email attachment that may be used to distribute the PowerSniff Ransomware is a Microsoft Word document, a type of document that has not been associated recently with attacks (the attack exploits a vulnerability in macros that allows third parties to deliver corrupted code to the victims' computers when they authorize the use of macros on the harmful file>.
- The sheer volume of spam emails that are being sent out to deliver the PowerSniff Ransomware is staggering, with about 1,500 (only a fraction of the total number) detected in a single week by PC security analysts.
When the file containing the PowerSniff Ransomware is opened, the file calls on Windows Management Instrumentation (WMI), a Windows service that is used to create a hidden PowerShell instance. This automation tool, an important and useful part of Windows, is abused to deliver the PowerSniff Ransomware itself to the victim's computer. To carry out the attack, it may be necessary for the victim to authorize the use of macros in the Microsoft Office.
How the PowerSniff Ransomware Attacks a Computer
During the PowerSniff Ransomware attack, PowerShell downloads a script that decrypts and executes the payload after first confirming that it is not being run in a virtual system. There are several peculiarities about the PowerSniff Ransomware attack. Initially, the PowerSniff Ransomware will ensure that it is not operating on a computer belonging to an education or healthcare facility. To do this, the PowerSniff Ransomware searches for certain strings on the victim's computer. The PowerSniff Ransomware will check for strings that could mean that there is a Point of Sale software (PoS) and programs that are commonly used to carry out sales and other transactions. It seems that the PowerSniff Ransomware infections are targeted towards computers used in monetary transactions specifically, and avoid computers belonging to education or healthcare institutions actively.
The PowerSniff Ransomware does not Create a File on the Victim’s Computer
One of the characteristics of the PowerSniff Ransomware is that it does not require the creation of an executable file on the victim's computer to carry out its attack. The PowerSniff Ransomware belongs to Ursnif, a family of ransomware Trojans that are injected directly into the targeted computer's memory. Because there is no executable file to remove or analyze, the PowerSniff Ransomware becomes particularly difficult to detect or contains and presents a significant threat to computers. PC security researchers strongly advise the use of a reliable, fully updated security program and an anti-spam filter to intercept a the PowerSniff Ransomware attack. Computer users should disable macros on Microsoft Office and avoid opening macros in files that were received from unknown or questionable sources (particularly unsolicited email messages, whose attachments should never be opened).
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.