Video Fileless Ransomware: Powershell Netwalker | The PC Security Channel

Source
https://www.youtube.com/watch?v=RFGlilkI1Qg
Video created by
The PC Security Channel

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,282
wanted to try Acronis too but it's too expensive for my taste. Is it light on your system?
 

Kongo

Level 30
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,989
Thank you! :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,250
Leo suggests backups to protect data against such threats. Of course, this is good advice, although it will not protect against extortion attacks when data is stolen.
In the case of this particular malware (and most of the complex PowerShell malware), it can be fully blocked by restricting PowerShell with Constrained Language Mode.
Windows system uses PowerShell functions without executing powershell.exe or powershell_ise.exe, so in the home environment, many users can simply block PowerShell executables without any issues.

Post edited.
 
Last edited:

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,244
it can be fully blocked by restricting PowerShell with Constrained Language Mode. In the home environment, many users can simply block PowerShell without any issues.
I can confirm that I never had any issue after setting PowerShell in Constrained Language Mode.
One of the easiest ways to enable this would be entering this in Terminal with admin rights:
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t reg_SZ /d "4" /f
 

Zero Knowledge

Level 9
Dec 2, 2016
406
As with anything Microsoft they try to implement something successfully done on Linux/MacOS/Android/iOS i.e. bash/terminal and they implement it in such a weird way with no security that it's mainly used by malware/ransomware authors to carry out attacks. PowerShell is not a bad idea in itself, improving and streamlining administration tasks and replacing an aging cmd terminal with a modern-day equivalent is a worthy endeavour but in the case of Microsoft it took them years to play catch up and introduce security mechanisms to stop the bad actors abusing the service.
 

ticklemefeet

Level 27
Jan 31, 2018
1,659
The changes are usually made with high privileges, so the PowerShell can be still restricted/blocked with standard rights.
So, are you saying if PowerShell is blocked with restricted/blocked standard rights, the program setting can be changed with say a program that adjusts Windows Defenders settings? I guess I am not understanding.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,250
So, are you saying if PowerShell is blocked with restricted/blocked standard rights, the program setting can be changed with say a program that adjusts Windows Defenders settings? I guess I am not understanding.
Do not give up. I do not understand many things, too. But, this one is true.(y)
The restrictions limited to standard rights do not apply to processes that run with higher privileges.
Classic SRP and AppLocker can use restrictions limited to standard privileges.
 
Last edited:

Stenographers

Level 1
Nov 11, 2022
35
As with anything Microsoft they try to implement something successfully done on Linux/MacOS/Android/iOS i.e. bash/terminal and they implement it in such a weird way with no security that it's mainly used by malware/ransomware authors to carry out attacks. PowerShell is not a bad idea in itself, improving and streamlining administration tasks and replacing an aging cmd terminal with a modern-day equivalent is a worthy endeavour but in the case of Microsoft it took them years to play catch up and introduce security mechanisms to stop the bad actors abusing the service.
To be fair, Powershell is a really good piece of software and personally I prefer it to bash. In fact I have some Linux boxes set up so that the default shell is pwsh. I'm pretty sure you could do the same thing with bash, at least something similar. Does that make bash bad an insecure? No, it just means you need to manage access to it very carefully.
 

TedCruz

Level 5
Aug 19, 2022
208
wanted to try Acronis too but it's too expensive for my taste. Is it light on your system?
I used to run and recommend acronis from 2008 to 2019 when it suddenly failed me on multiple backups that became unrecoverable (that spanned from 2017 to 2019) I had instances when suddenly a cold storage backup was not recovered and it occured multiple of times at multiple drives. That's when I gave up on that solution and switched to another. Been happy since and went through 5 recoveries without issues. (That's just home use I don't care about work that's DISA's job)
 
  • Like
Reactions: Nevi

Kongo

Level 30
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,989
I used to run and recommend acronis from 2008 to 2019 when it suddenly failed me on multiple backups that became unrecoverable (that spanned from 2017 to 2019) I had instances when suddenly a cold storage backup was not recovered and it occured multiple of times at multiple drives. That's when I gave up on that solution and switched to another. Been happy since and went through 5 recoveries without issues. (That's just home use I don't care about work that's DISA's job)
The main reason I wanted to try it is because of it's AI-based integrated AV solution. Any experiences with that?
 

roger_m

Level 37
Verified
Top poster
Content Creator
Dec 4, 2014
2,697
The main reason I wanted to try it is because of it's AI-based integrated AV solution. Any experiences with that?
It's using Bitdefender signatures and was tested by @Shadowra in April.
 

Kongo

Level 30
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,989
It's using Bitdefender signatures and was tested by @Shadowra in April.
It's using Bitdefender engine + ML as can be seen on VirusTotal. I just wanna know how effective it is.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,282
It's using Bitdefender engine + ML as can be seen on VirusTotal. I just wanna know how effective it is.
Fully understand that as it's a good question, but what I know or recall there ain't anyone on this forum that done proper malware tests over a longer period with it, so it's really hard to say other then guessing.

It's basic backup and automatic restore feature should be easy enough for yourself to test.
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,244
It's using Bitdefender engine + ML as can be seen on VirusTotal. I just wanna know how effective it is.
For some basic understanding of its overall effectiveness in protection, you can check AVC's Business tests:
 
Top