PowerSniff Ransomware
Posted: April 6, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 16 |
| First Seen: | April 6, 2016 |
|---|---|
| Last Seen: | February 27, 2023 |
| OS(es) Affected: | Windows |
The PowerSniff Ransomware is a Trojan that subverts basic Windows components for providing remote access to the machine or enabling other attacks, such as file-encrypting ransoms. This threat uses a combination of memory injection, Registry modifications and hidden PowerShell instances for avoiding detection, and has an observed preference for targeting Point-of-Sale devices. Relevant entities can protect their systems by tending to their e-mail security protocols, as well as making use of their anti-malware tools for removing the PowerSniff Ransomware afterward.
Sniffing out New Spam Problems
The PowerSniff Ransomware is a file encryptor and backdoor Trojan capable of holding a system's data hostage for ransom payments, or giving con artists the means to launch other attacks through its server connections. While its payloads are standardized options with few deviations from the norm, the delivery and installation methods for the PowerSniff Ransomware show an unusual degree of robustness and discernment. The PowerSniff Ransomware continues the overall trend of using e-mail-based infection vectors, which malware experts have seen launching through embedded document macros, similar to the PowerWare Ransomware.
The spam campaign frequently includes details about the recipient or an associated organization, which con artists may be phishing from a separate campaign. After being tricked into opening the document and enabling its macro content manually, the victim may allow the PowerSniff Ransomware to install itself unintentionally. This installation process uses a hidden PowerShell instance and includes multiple system prerequisite checks before finishing its payload. These flags include detecting a sandbox environment (which is a tool for malware analysis), detecting text strings related to specific industries (such as healthcare organizations), and identifying financial transaction software.
The PowerSniff Ransomware's con artists appear to be targeting financial-associated systems in particular while avoiding machines in both the healthcare and educational industries simultaneously.
Cutting the Power to the PowerSniff Ransomware Campaign
Businesses and other organizations in North America and Europe both have been under significant attack by the PowerSniff Ransomware's campaign, which has distributed over one thousand e-mail messages in a single week. The inclusion of personal information makes it more likely than usual that a victim will assume that the spam is legitimate, and also points towards previous security compromises that gave remote attackers that information in the first place. However, most Windows systems still will disable document macros by default, thereby requiring an element of consent before the PowerSniff Ransomware can install itself.
The PowerSniff Ransomware injects itself into unrelated memory processes automatically. Regardless of the presence of common symptoms, such as encrypted files with new extensions or a desktop ransom message, victims should assume that the PowerSniff Ransomware is running. Anti-malware products should be able to detect corrupted documents meant for installing the PowerSniff Ransomware, along with removing the PowerSniff Ransomware in later infection stages.
The PowerSniff Ransomware requires the presence of the PowerShell utility, making this campaign unique to Windows, for the present time. However, persistence and unusually incisive delivery methods on the part of its perpetrators make the PowerSniff Ransomware a high-level threat to hundreds of PoS machines that fall under its criteria.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.