Physical Address

Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine

VerdaCrypt Ransomware: Analysis of the PowerShell-Based Cryptoviral Extortion Tool

VerdaCrypt Ransomware
VerdaCrypt Ransomware

VerdaCrypt represents a sophisticated PowerShell-based ransomware that combines advanced encryption techniques with psychological manipulation to extort victims. Employing a modular architecture with anti-analysis capabilities, this ransomware targets critical data across multiple file types with AES-256 encryption. The threat actor behind VerdaCrypt, self-identified as the “Kugutsushi subdivision,” uses philosophically-framed extortion messages and demands payment through cryptocurrency. This analysis examines VerdaCrypt’s technical implementation, distribution vectors, targeted file types, and provides comprehensive mitigation strategies for organizations to protect against this evolving threat.

Threat Summary

  • Threat Type: Ransomware, File Encryptor, Data Exfiltration
  • Sample Hash: a1ec0e24579de82840b019831252d73784f4ea5c4c16461103176bcc40cc1376
  • Encrypted File Extension: .verdant
  • Ransom Note: !!!_READ_ME_!!!.txt
  • Contact Method: Protonmail (dendrogaster_88095@protonmail.com)
  • Implementation: PowerShell-based (Verdacrypt-Z.ps1)
  • Encryption: AES-256 + RSA-2048
  • Threat Severity: High (10/10 in Triage analysis)
  • Targeted Systems: Windows workstations and servers

Introduction to VerdaCrypt Ransomware

VerdaCrypt is a newly discovered ransomware variant that represents a concerning evolution in PowerShell-based malware. First identified in April 2025, this ransomware combines sophisticated encryption techniques with advanced anti-analysis capabilities and psychological manipulation tactics. What sets VerdaCrypt apart from other ransomware families is its modular architecture, philosophical framing of extortion demands, and comprehensive targeting of sensitive data types.

The ransomware identifies itself as a product of the “Kugutsushi subdivision,” a previously undocumented threat actor. Unlike many ransomware strains that focus solely on encryption speed, VerdaCrypt prioritizes stealth, persistence, and psychological impact, making it particularly dangerous to targeted organizations.

This analysis is based on the examination of a PowerShell script named “Verdacrypt-Z.ps1” and related intelligence gathered from security researchers and incident response teams. The threat demonstrates both technical sophistication and social engineering expertise, positioning it as a significant concern for organizations across multiple sectors.

Technical Features of VerdaCrypt Ransomware

VerdaCrypt exhibits several advanced technical characteristics that make it particularly effective and difficult to detect or mitigate:

  • PowerShell-based implementation: The ransomware is primarily written in PowerShell, allowing it to operate without dropping traditional executable files that might trigger antivirus detection.
  • Modular architecture: VerdaCrypt employs a modular design with separate components for core functionality, persistence, encryption, anti-detection, propagation, and payload delivery, allowing the threat actors to easily update or customize specific capabilities.
  • Hybrid encryption system: Uses AES-256 for file encryption with RSA-2048 for key protection, making decryption without the attacker’s private key mathematically infeasible.
  • Comprehensive targeting: The ransomware targets over 100 different file extensions across multiple categories including documents, media files, archives, database files, and development files.
  • Shadow copy elimination: Before beginning encryption, VerdaCrypt systematically deletes Windows Volume Shadow Copies to prevent easy recovery of files.
  • Anti-analysis techniques: The ransomware includes sophisticated capabilities to detect virtual machines, sandbox environments, and security tools, with different evasion behaviors based on the environment detected.
  • Cross-process operation: VerdaCrypt can inject itself into legitimate Windows processes like explorer.exe and svchost.exe to evade detection and maintain persistence.
  • Multi-stage propagation: The ransomware attempts to spread via USB drives using autorun.inf and LNK file exploitation techniques.

One of the most notable aspects of VerdaCrypt is its active disabling of security features. The ransomware attempts to disable Windows Defender, Windows Firewall, and other security protections through registry modifications and service tampering, significantly increasing the risk of successful encryption if executed with administrative privileges.

VerdaCrypt Ransomware Attack Chain Initial Execution PowerShell Script Anti-Analysis VM/Sandbox Detection Privilege Escalation UAC Bypass Techniques Security Disabling Defender/Firewall Persistence Registry, WMI, Tasks Backup Deletion Shadow Copy Removal File Encryption AES-256 + RSA-2048 Ransom Note !!!_READ_ME_!!!.txt Extortion ProtonMail Contact Propagation USB/Network Spread Primary Target File Extensions .doc, .pdf, .jpg, .mp4, .zip, .sql, .psd, .py, .java, .php, .html .xlsx, .ppt, .txt, .bak, .vhd, .ova, .xml, .json, .cpp, .cs

Source: Analysis of VerdaCrypt ransomware PowerShell script components and execution flow, 2025

Targeted File Types and Encryption Strategy

VerdaCrypt casts an extraordinarily wide net in terms of targeted file types, focusing on maximum impact across various data types that might be valuable to victims. The ransomware targets over 100 different file extensions across multiple categories:

VerdaCrypt Targeted File Categories 30% Documents .doc, .pdf, .txt, .rtf… 25% Media Files .jpg, .mp4, .png, .mp3… 15% Development .py, .cpp, .java, .php… 12% Archives .zip, .rar, .7z… 10% Databases .sql, .db, .sqlite… 8% System/Backups .bak, .vhd, .log…

Source: Analysis of VerdaCrypt target extensions from PowerShell script, 2025

The encryption process follows a sophisticated methodology:

  1. File discovery: The ransomware scans multiple directories, including user profiles, cloud storage locations, application data, and development environments to locate valuable files.
  2. Key generation: For each infection, VerdaCrypt generates a unique AES-256 key and a secure initialization vector (IV).
  3. Batch processing: Files are encrypted in batches to optimize performance, with the potential for parallel encryption on multi-core systems.
  4. In-place encryption: Rather than creating new files, the ransomware encrypts files in-place and then changes their extension to “.verdant”.
  5. Key protection: The AES key used for file encryption is itself encrypted using RSA-2048, ensuring that only the attackers’ private key can unlock the files.

The encryption routine includes checks to avoid encrypting files already in use by the system, which helps the ransomware maintain stealth by not crashing the operating system during encryption. This selective approach coupled with the wide range of targeted file types maximizes the likelihood of encrypting critical user data.

Distribution and Infection Methods

VerdaCrypt employs multiple sophisticated distribution techniques to reach its targets. Based on the analysis of the PowerShell script and related intelligence, the following primary infection vectors have been identified:

  • Phishing campaigns: Carefully crafted emails containing the PowerShell script as an attachment or links to download the script from compromised or attacker-controlled websites.
  • Living-off-the-land techniques: The ransomware may be deployed using legitimate PowerShell features, potentially bypassing application whitelisting and other security controls.
  • Supply chain compromises: Evidence suggests possible distribution through compromised software updates or packages to target specific organizations.
  • Remote access exploitation: Targeting of exposed RDP, VPN, or other remote access services to manually deploy the ransomware within compromised networks.

Once executed, VerdaCrypt demonstrates a comprehensive approach to establishing persistence:

  1. Registry modifications: Creates autorun keys in multiple registry locations to survive system reboots.
  2. Scheduled tasks: Establishes scheduled tasks with multiple triggers to ensure consistent execution even if some are discovered and removed.
  3. WMI event subscriptions: Creates persistent WMI event subscriptions that trigger the ransomware when specific system events occur.
  4. DLL hijacking: Attempts to perform DLL hijacking on certain system libraries if administrative privileges are obtained.
  5. Process injection: Injects malicious code into legitimate processes like explorer.exe and svchost.exe to evade detection.

A particularly concerning aspect of VerdaCrypt is its attempt to spread within networks and via removable media:

  • USB propagation: Creates hidden copies of itself on USB drives, along with malicious LNK files designed to appear as legitimate folders like “Documents” or “Photos” to trick users into executing the ransomware.
  • Autorun exploitation: Places autorun.inf files on USB drives to automatically launch when connected to vulnerable systems.
  • Network scanning: Searches for open network shares to encrypt remote files and potentially spread to other systems.

These distribution and persistence techniques demonstrate a level of sophistication typically associated with advanced threat actors, suggesting that VerdaCrypt may be operated by an experienced cybercriminal group with significant technical expertise.

Ransom Demands and Threat Actor Behavior

One of the most distinctive aspects of VerdaCrypt is its ransom note, which differs from typical ransomware in both style and content. The ransom note titled “!!!_READ_ME_!!!.txt” employs sophisticated language and philosophical framing to manipulate victims:

Y O U R D I G I T A L E X I S T E N C E H A S B E E N C O M P R O M I S E D.
 
INTRUSION PROTOCOL: VERDACRYPT - INITIATED.
 
Your critical infrastructure has suffered a catastrophic security event. A sophisticated cryptoviral payload, designated VerdaCrypt, has successfully breached your system's perimeter and executed a multi-layered encryption cascade. All sensitive data, including but not limited to proprietary documents, personal archives, multimedia assets, and databases, are now rendered cryptographically inert and irretrievable without our intervention.
 
ONTOLOGICAL DILEMMA: DATA SOVEREIGNTY & THE TRANSCENDENCE OF VALUE.
 
Consider this not merely an act of digital extortion, but a stark ontological reassessment of your data's intrinsic worth. In this hyper-connected, late-capitalist paradigm, information is the ultimate commodity. You have operated under the illusion of control, hoarding digital wealth without acknowledging its inherent precarity. We are the catalysts of disruption, forcing a necessary reckoning with the ephemeral nature of digital sovereignty. Your data, now under our dominion, will only regain utility through a transactional exchange – a tribute to its true, albeit previously unacknowledged, value.
 
RECOVERY PROCEDURE: THE PATH TO DIGITAL REBIRTH.
 
While your current digital state is one of enforced entropy, a path to restoration exists. We possess the asymmetric decryption keys necessary to reverse the algorithmic entropy we have imposed. However, access to this vital instrument is contingent upon your adherence to the following directives:
 
1. SYSTEMIC QUIESCENCE MANDATORY: Cease all unauthorized remediation attempts. Any interference with the encrypted file system may induce irreversible data corruption and invalidate any potential for decryption. Further, any attempts at forensic analysis or network tracing will be met with escalated countermeasures.
 
2. SECURE CHANNEL ESTABLISHMENT VIA PROTONMAIL: Initiate encrypted communication through the Protonmail platform. Contact us at: dendrogaster_88095@protonmail.com. Utilize a separate, uncompromised device for this communication.
 
3. FINANCIAL TRANSCENDENCE PROTOCOL: Prepare for a financial exchange commensurate with the value you ascribe to your compromised data. Detailed payment instructions, including the precise Bitcoin (BTC) quantum required for decryption key acquisition, will be provided upon initial contact. Be advised: the value proposition is dynamic and subject to escalation based on temporal delays and perceived resistance.
 
CONSEQUENCES OF NON-COMPLIANCE: DIGITAL OBLITERATION.
 
Failure to adhere to these directives will result in the permanent cryptographic lockdown of your data assets. Furthermore, depending on the perceived recalcitrance and value of the exfiltrated data, we may initiate a phased data dissemination protocol, exposing your proprietary information to public and competitive vectors. Your digital legacy hangs in the balance.
 
VerdaCrypt - Kugutsushi subdivision.

This ransom note reveals several key insights about the threat actor:

  • Sophisticated psychological tactics: The use of philosophical terminology and concepts creates an intellectual framing that attempts to normalize the extortion and position the attackers as sophisticated operators rather than criminals.
  • Double-extortion strategy: The threat of data dissemination (“phased data dissemination protocol”) suggests the ransomware may also exfiltrate data before encryption, enabling additional leverage through threatened leaks.
  • Organizational structure: The reference to “Kugutsushi subdivision” implies a structured criminal organization with different operational units, potentially indicating a larger threat actor ecosystem.
  • Operational security focus: The instructions to use Protonmail for secure communications and warnings against forensic analysis demonstrate sophisticated operational security practices.

Rather than specifying a fixed ransom amount in the initial note, VerdaCrypt’s operators require victims to establish contact first, allowing for dynamic pricing based on the victim’s perceived ability to pay. This negotiation-based approach is increasingly common among sophisticated ransomware operations, maximizing profits by tailoring demands to each victim’s circumstances.

The Kugutsushi subdivision referenced in the note appears to be a new or previously undocumented threat actor, with no public reports linking them to other known ransomware operations as of April 2025. The name “Kugutsushi” has Japanese origins, potentially referring to puppet masters or manipulators, though this cultural reference may be deliberate misdirection rather than an indication of the attackers’ actual nationality or identity.

Technical Indicators of Compromise

Organizations should monitor for the following indicators that may suggest a VerdaCrypt infection or attack in progress:

File System Artifacts

# Primary ransomware script and variants
%TEMP%\Verdacrypt-Z.ps1
%TEMP%\WindowsUpdate.ps1
C:\ProgramData\SystemUpdate\update.ps1
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.ps1
 
# Ransom note
!!!_READ_ME_!!!.txt
 
# Encrypted files
*.verdant
 
# Persistence mechanisms
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.ps1
%TEMP\cleanup.ps1
%TEMP\script_*.ps1
%TEMP\launcher.c
%TEMP\launcher.dll

Registry Modifications

# Persistence registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemSecurityUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdateTask
 
# UAC bypass registry modifications
HKCU:\Software\Classes\ms-settings\shell\open\command
HKCU:\Software\Classes\mscfile\shell\open\command
 
# Security disabling registry modifications
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen = 0
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0

Process and Command Line Indicators

# Suspicious PowerShell execution
powershell.exe -WindowStyle Hidden
powershell.exe -ExecutionPolicy Bypass
powershell.exe -EncodedCommand
 
# Shadow copy deletion commands
vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy delete
wbadmin.exe delete catalog -quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
 
# Security service tampering
sc.exe create Windows* binPath= "powershell.exe*"
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Network Indicators

# Communication with C2 infrastructure
Connections to protonmail.com from compromised systems
DNS or HTTPS requests to newly registered domains
Anomalous data transfer patterns
Connections to cryptocurrency-related domains
 
# Network scanning activity
SMB enumeration
Active Directory queries

YARA Rules for Comprehensive VerdaCrypt Detection

The following enhanced YARA rules provide multiple detection strategies for VerdaCrypt Ransomware components:

Basic PowerShell Script Detection

rule VerdaCrypt_PowerShell_Script_2025 {
    meta:
        description = "Detects VerdaCrypt Ransomware PowerShell script main components"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        hash = "a1ec0e24579de82840b019831252d73784f4ea5c4c16461103176bcc40cc1376"
        severity = "high"
        version = "1.2"
     
    strings:
        // PowerShell script indicators
        $ps_header = "#" nocase wide ascii
         
        // Core function names
        $func_log = "function Write-Log" wide ascii
        $func_running = "function Test-AlreadyRunning" wide ascii
        $func_encrypt = "function Invoke-FileEncryption" wide ascii
        $func_persist = "function Register-Persistence" wide ascii
        $func_analysis = "function Test-AnalysisEnvironment" wide ascii
        $func_security = "function Disable-SecurityFeatures" wide ascii
        $func_usb = "function Invoke-USBPropagation" wide ascii
         
        // Specific technical artifacts
        $aes_key = "New-Object byte[] 32" wide ascii
        $rsa_provider = "System.Security.Cryptography.RSACryptoServiceProvider" wide ascii
        $iv_creation = "New-Object byte[] 16" wide ascii
        $crypto_rng = "RNGCryptoServiceProvider" wide ascii
         
        // Verdant extension
        $verdant_ext = ".verdant" wide ascii
         
        // Specific configuration values
        $config_timeout = "$ExecutionTimeout = 7200" wide ascii
        $encrypted_key = "EncryptedKey" wide ascii
     
    condition:
        $ps_header at 0 and
        2 of ($func_*) and
        2 of ($aes_key, $rsa_provider, $iv_creation, $crypto_rng) and
        $verdant_ext and
        filesize < 5MB
}

Ransom Note Detection

rule VerdaCrypt_Ransom_Note_2025 {
    meta:
        description = "Detects VerdaCrypt Ransomware ransom note content"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
     
    strings:
        // Unique strings from ransom note
        $title = "YOUR DIGITAL EXISTENCE HAS BEEN COMPROMISED" nocase wide ascii
        $intro = "INTRUSION PROTOCOL: VERDACRYPT - INITIATED" nocase wide ascii
        $onto = "ONTOLOGICAL DILEMMA: DATA SOVEREIGNTY" nocase wide ascii
        $rebirth = "RECOVERY PROCEDURE: THE PATH TO DIGITAL REBIRTH" nocase wide ascii
        $proton = "dendrogaster_88095@protonmail.com" wide ascii
        $crypto = "Bitcoin (BTC) quantum" nocase wide ascii
        $division = "Kugutsushi subdivision" nocase wide ascii
        $noncompliance = "CONSEQUENCES OF NON-COMPLIANCE: DIGITAL OBLITERATION" nocase wide ascii
         
        // Filename
        $filename = "!!!_READ_ME_!!!.txt" wide ascii
     
    condition:
        $filename or
        3 of ($title, $intro, $onto, $rebirth, $proton, $crypto, $division, $noncompliance)
}

Advanced Encryption Component Detection

rule VerdaCrypt_Encryption_Components_2025 {
    meta:
        description = "Detects VerdaCrypt encryption components through specific code patterns"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.1"
     
    strings:
        // Encryption function components
        $aes_create = "$AESKey = New-Object byte[] 32" wide ascii
        $rsa_encrypt = "$RSAEncryptor.Encrypt($AESKey, $false)" wide ascii
        $frombase64 = "ImportCspBlob([Convert]::FromBase64String" wide ascii
        $key_config = "KeyConfig" wide ascii nocase
         
        // Specific encryption parameters
        $create_aes = "New-Object System.Security.Cryptography.AesManaged" wide ascii
        $aes_mode = "CipherMode = [System.Security.Cryptography.CipherMode]::CBC" wide ascii
        $crypto_transform = "CreateEncryptor" wide ascii
         
        // File processing patterns
        $file_extension = "Path -replace '\\.[^.\\\\]+$', '.verdant'" wide ascii
        $read_buffer = "New-Object byte[]" wide ascii
        $crypto_stream = "System.Security.Cryptography.CryptoStream" wide ascii
        $memory_stream = "System.IO.MemoryStream" wide ascii
         
        // Verification functions
        $verify_encrypted = "Test-EncryptedFile" wide ascii
        $verify_content = "Compare-FileContent" wide ascii
     
    condition:
        4 of them and
        filesize < 10MB
}

Anti-Analysis and Evasion Techniques Detection

rule VerdaCrypt_AntiAnalysis_Techniques_2025 {
    meta:
        description = "Detects VerdaCrypt anti-analysis and evasion techniques"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
     
    strings:
        // VM detection
        $vm_check = "Win32_ComputerSystem" wide ascii
        $vm_models = "VMware|VirtualBox|HVM|Virtual Machine|KVM|Xen" wide ascii
         
        // Analysis tools detection
        $tools_check = "Wireshark|Fiddler|OllyDbg|IDA Pro" wide ascii
        $sandbox_check = "C:\\analysis|C:\\sandbox" wide ascii
         
        // System checks for sandbox detection
        $ram_check = "TotalPhysicalMemory / 1GB" wide ascii
        $uptime_check = "LastBootUpTime" wide ascii
        $process_count = "Process).Count -lt" wide ascii
         
        // Evasion behaviors
        $analysis_exit = "Analysis environment detected, terminating execution" wide ascii
        $deceptive = "deceptive behavior" wide ascii
        $sleep_call = "Start-Sleep -Seconds" wide ascii
         
        // IsDebuggerPresent equivalent
        $isdebuggerpresent = "[System.Runtime.InteropServices.Marshal]::ReadInt32" wide ascii
        $timing_check = "Measure-Command" wide ascii
     
    condition:
        3 of ($vm_check, $vm_models, $tools_check, $sandbox_check) and
        2 of ($ram_check, $uptime_check, $process_count) and
        1 of ($analysis_exit, $deceptive, $sleep_call, $isdebuggerpresent, $timing_check)
}

Privilege Escalation Detection

rule VerdaCrypt_PrivilegeEscalation_2025 {
    meta:
        description = "Detects VerdaCrypt privilege escalation techniques"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
     
    strings:
        // Admin check
        $admin_check = "IsInRole([Security.Principal.WindowsBuiltInRole]\"Administrator\")" wide ascii
         
        // UAC bypass methods
        $eventvwr_bypass = "eventvwr.exe" wide ascii
        $fodhelper_bypass = "fodhelper.exe" wide ascii
        $reg_consent = "ConsentPromptBehaviorAdmin" wide ascii
        $reg_secure = "PromptOnSecureDesktop" wide ascii
         
        // Registry modifications for UAC bypass
        $reg_mscfile = "HKCU:\\Software\\Classes\\mscfile\\shell\\open\\command" wide ascii
        $reg_msetting = "HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command" wide ascii
         
        // Command execution
        $process_start = "Start-Process" wide ascii
        $hidden_window = "WindowStyle Hidden" wide ascii
         
        // Cleanup after bypass
        $remove_reg = "Remove-Item -Path" wide ascii
     
    condition:
        $admin_check and
        2 of ($eventvwr_bypass, $fodhelper_bypass, $reg_consent, $reg_secure) and
        1 of ($reg_mscfile, $reg_msetting) and
        $process_start and $hidden_window
}

Security Feature Disabling Detection

rule VerdaCrypt_SecurityDisabling_2025 {
    meta:
        description = "Detects VerdaCrypt security feature disabling capabilities"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
     
    strings:
        // Windows Defender disabling
        $disable_rt = "Set-MpPreference -DisableRealtimeMonitoring $true" wide ascii
        $disable_behavior = "DisableBehaviorMonitoring $true" wide ascii
        $disable_ioav = "DisableIOAVProtection $true" wide ascii
        $disable_script = "DisableScriptScanning $true" wide ascii
        $tamper_protection = "TamperProtection" wide ascii
         
        // Service manipulation
        $defender_services = "WdNisSvc|WinDefend|Sense" wide ascii
        $stop_service = "Stop-Service -Name" wide ascii
        $disable_startup = "Set-Service -Name" wide ascii
         
        // Firewall disabling
        $disable_firewall = "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False" wide ascii
         
        // Event logging disabling
        $disable_eventlog = "IsEnabled = $false" wide ascii
        $event_log_names = "Microsoft-Windows-PowerShell/Operational|Windows PowerShell|Microsoft-Windows-WMI-Activity" wide ascii
         
        // Process creation policies
        $cmdline_logging = "ProcessCreationIncludeCmdLine_Enabled" wide ascii
     
    condition:
        2 of ($disable_rt, $disable_behavior, $disable_ioav, $disable_script, $tamper_protection) and
        1 of ($defender_services, $stop_service, $disable_startup) and
        1 of ($disable_firewall, $disable_eventlog, $event_log_names, $cmdline_logging)
}

Propagation Methods Detection

rule VerdaCrypt_Propagation_2025 {
    meta:
        description = "Detects VerdaCrypt network and USB propagation methods"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
     
    strings:
        // USB propagation
        $usb_query = "InterfaceType='USB'" wide ascii
        $autorun_creation = "autorun.inf" wide ascii
        $autorun_content = "[AutoRun]" wide ascii
         
        // Malicious LNK creation
        $lnk_creation = "CreateShortcut" wide ascii
        $wsh_shell = "WScript.Shell" wide ascii
        $hide_attribute = "Attributes -Value ([System.IO.FileAttributes]::Hidden)" wide ascii
         
        // Network propagation
        $network_share = "Win32_Share" wide ascii
        $copy_network = "\\\\$computerName" wide ascii
        $common_shares = "C$|admin$|IPC$|Users|SharedDocs|Public" wide ascii
         
        // Remote execution
        $wmi_method = "Invoke-WmiMethod" wide ascii
        $process_create = "Win32_Process -Name Create" wide ascii
        $remote_powershell = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass" wide ascii
     
    condition:
        (2 of ($usb_query, $autorun_creation, $autorun_content) or
         2 of ($lnk_creation, $wsh_shell, $hide_attribute)) and
        (2 of ($network_share, $copy_network, $common_shares) or
         2 of ($wmi_method, $process_create, $remote_powershell))
}

Memory-Based Detection for Running Processes

rule VerdaCrypt_Memory_Fingerprint_2025 {
    meta:
        description = "Detects VerdaCrypt in-memory indicators"
        author = "Gridinsoft Research Team"
        date = "2025-04"
        severity = "high"
        version = "1.0"
        memory_scan = "true"
     
    strings:
        // Memory artifacts from encryption
        $mem_aes = { 41 45 53 4B 65 79 00 4E 65 77 2D 4F 62 6A 65 63 74 20 62 79 74 65 5B 5D 20 33 32 }  // "AESKey" + "New-Object byte[] 32"
        $mem_iv = { 49 56 00 4E 65 77 2D 4F 62 6A 65 63 74 20 62 79 74 65 5B 5D 20 31 36 }  // "IV" + "New-Object byte[] 16"
        $mem_rsa = { 52 53 41 43 72 79 70 74 6F 50 72 6F 76 69 64 65 72 }  // "RSACryptoProvider"
         
        // Process arguments
        $exec_bypass = { 2D 45 78 65 63 75 74 69 6F 6E 50 6F 6C 69 63 79 20 42 79 70 61 73 73 }  // "-ExecutionPolicy Bypass"
        $window_hidden = { 2D 57 69 6E 64 6F 77 53 74 79 6C 65 20 48 69 64 64 65 6E }  // "-WindowStyle Hidden"
         
        // Encrypted file signature
        $encrypted_header = { 56 44 43 52 59 50 54 00 }  // "VDCRYPT" header
     
    condition:
        any of ($mem_*) or
        all of ($exec_bypass, $window_hidden) or
        $encrypted_header
}

Usage Recommendations

These YARA rules should be used as part of a defense-in-depth strategy:

  • Deploy the PowerShell script detection rule for file-based detection on endpoints and email gateways
  • Implement the ransom note detection rule for early identification of successful infections
  • Use the anti-analysis, privilege escalation, and security disabling rules for behavioral detection
  • Apply the memory-based rule for runtime detection of active VerdaCrypt processes
  • Combine multiple rules in a comprehensive detection policy to increase detection probability

Organizations should adapt these rules to their specific environments, adding any organization-specific exclusions to reduce false positives while maintaining detection capabilities.

Enhanced Mitigation and Protection Strategies

Based on our comprehensive analysis of VerdaCrypt’s code and behavior, we recommend these specific defensive measures:

PowerShell Security Controls

  • Enable PowerShell Logging:
    • Enable Script Block Logging with Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Type DWord -Value 1
    • Enable Module Logging with New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Force and New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1 -Force
    • Enable Protected Event Logging to prevent tampering with logs
  • Constrained Language Mode: Deploy PowerShell in Constrained Language Mode by setting the environment variable $env:__PSLockdownPolicy = 4 or using AppLocker to enforce CLM
  • Just Enough Administration (JEA): Implement JEA configurations to limit PowerShell capabilities to only what is necessary for legitimate administrative tasks
  • AMSI Integration: Ensure your security solutions are integrated with AMSI to detect malicious scripts before execution

Defense Against VerdaCrypt’s Specific Evasion Techniques

  • UAC Bypass Mitigation:
    • Set UAC to “Always notify” through Group Policy
    • Monitor registry paths commonly used for UAC bypass (e.g., HKCU:\Software\Classes\ms-settings\shell\open\command)
    • Implement Protected Administrator accounts that require credential re-entry
  • Anti-Analysis Countermeasures:
    • Deploy deception technology that simulates analysis environments to trigger malware’s evasion behavior
    • Implement memory-based detection to identify evasion attempts
    • Monitor for suspicious system property queries commonly used for sandbox detection
  • Security Feature Protection:
    • Enable Tamper Protection in Windows Defender
    • Use Group Policy to lock down security settings and prevent modifications
    • Implement Security Center monitoring for disabled security features

Preventing VerdaCrypt’s Propagation Methods

  • USB Protection:
    • Disable autorun functionality with reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f
    • Implement device control solutions to restrict USB usage to authorized devices only
    • Deploy endpoint security that scans removable media before allowing access
  • Network Segmentation:
    • Implement VLAN segmentation to isolate critical systems
    • Use host-based firewalls to restrict SMB traffic between endpoints
    • Implement privileged access workstations for administrative tasks
  • Credential Protection:
    • Use credential guard to protect against token theft and pass-the-hash attacks
    • Implement time-based access tokens with short expiration periods
    • Apply the principle of least privilege to limit administrative account usage

Recovery Preparedness Specific to VerdaCrypt

  • Shadow Copy Protection:
    • Create and maintain offline backups that VerdaCrypt cannot access
    • Implement shadow copy protection with tools that monitor and prevent deletion commands
    • Use backup solutions that require separate authentication from domain credentials
  • File Recovery Strategy:
    • Maintain versioned backups to recover files from before the encryption
    • Implement a 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite)
    • Regularly test backup restoration processes in isolated environments
  • Incident Response Plan:
    • Develop a ransomware-specific incident response playbook
    • Conduct tabletop exercises to practice the response to a VerdaCrypt infection
    • Establish isolated communication channels for use during a ransomware incident

Code Analysis: Key Features of VerdaCrypt’s PowerShell Implementation

The PowerShell implementation of VerdaCrypt reveals several sophisticated programming techniques that contribute to its effectiveness:

Modular Architecture

VerdaCrypt’s code is highly modular, with distinct functional components:

# Main file structure showing modular design
Verdacrypt-Z.ps1
|-- Configuration Variables
|-- Utility Functions
    |-- Write-Log
    |-- Test-AlreadyRunning
    |-- Convert-ToSecureString
|-- Anti-Analysis Module
    |-- Test-AnalysisEnvironment
    |-- Get-SystemFingerprint
    |-- Invoke-DeceptiveBehavior
|-- Privilege Escalation Module
    |-- Invoke-PrivilegeEscalation
    |-- Get-AdminToken
|-- Security Disabling Module
    |-- Disable-SecurityFeatures
    |-- Remove-EventLogs
|-- Persistence Module
    |-- Register-Persistence
    |-- Install-StartupItems
|-- Encryption Module
    |-- Invoke-FileEncryption
    |-- Start-FileEncryption
    |-- Process-TargetFiles
|-- Propagation Module
    |-- Invoke-USBPropagation
    |-- Invoke-NetworkPropagation
|-- Ransom Module
    |-- Create-RansomNote
    |-- Setup-Communication
|-- Main Execution Flow

This modular design allows the ransomware to:

  • Selectively deploy only the components needed for a specific environment
  • Update individual modules without changing the entire codebase
  • Customize behavior based on target characteristics
  • Hide its full capabilities by loading modules only when needed

Advanced Error Handling

VerdaCrypt implements sophisticated error handling to ensure operational continuity even when specific functions fail:

# Example of the ransomware's error handling approach
function Invoke-CriticalFunction {
    param([string]$TargetPath)
     
    try {
        # Primary method
        $result = Primary-Operation -Path $TargetPath
        if ($result) {
            return $result
        }
        throw "Primary method failed silently"
    }
    catch [System.UnauthorizedAccessException] {
        Write-Log "Access denied, attempting elevation"
        if (Invoke-PrivilegeEscalation) {
            # Retry with elevated privileges
            return Invoke-CriticalFunction -TargetPath $TargetPath
        }
    }
    catch [System.IO.IOException] {
        Write-Log "IO Exception, attempting alternative method"
        # Fall back to alternative method
        return Alternative-Operation -Path $TargetPath
    }
    catch {
        Write-Log "Unexpected error: $_"
        if ($EnableFallbacks) {
            # Fall back to basic functionality
            return Basic-Operation -Path $TargetPath
        }
    }
    finally {
        # Clean up regardless of success or failure
        if (Test-Path -Path "$TargetPath.tmp") {
            Remove-Item -Path "$TargetPath.tmp" -Force -ErrorAction SilentlyContinue
        }
    }
}

This sophisticated error handling ensures that:

  • The ransomware continues operating even when specific functions encounter errors
  • Failed operations trigger alternative approaches rather than terminating execution
  • Evidence of failed attempts is removed to avoid detection
  • Detailed error information is logged for the attackers but not exposed in ways that facilitate analysis

Dynamic Code Execution

VerdaCrypt makes extensive use of PowerShell’s dynamic code execution capabilities:

# Dynamic code execution techniques
function Execute-DynamicCode {
    # Obfuscated function names and parameters
    $functionNames = @{
        "Encrypt" = "Invoke-FileEncryption"
        "Elevate" = "Invoke-PrivilegeEscalation"
        "Persist" = "Register-Persistence"
    }
     
    # Dynamically build and execute code
    $encodedCommand = "JGZpbGVzID0gR2V0LUNoaWxkSXRlbSAkZW52OlVTRVJQUk9GSUxFIC1SZWN1cnNlIC1GaWx0ZXIgKi5kb2N4"
    $decodedCommand = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encodedCommand))
     
    # Execute with Invoke-Expression (IEX)
    $result = Invoke-Expression $decodedCommand
     
    # Alternative: ScriptBlock creation and invocation
    $scriptBlock = [ScriptBlock]::Create($decodedCommand)
    $result = & $scriptBlock
     
    # Dynamic parameter creation and function invocation
    $parameters = @{
        "TargetPath" = $env:USERPROFILE
        "Recursive" = $true
        "Force" = $true
    }
     
    & $functionNames["Encrypt"] @parameters
}

These dynamic execution techniques allow VerdaCrypt to:

  • Evade static analysis by assembling code at runtime
  • Hide its true functionality until execution
  • Bypass security controls that rely on signature-based detection
  • Adapt its behavior based on the environment it discovers during execution

Conclusion

VerdaCrypt represents a sophisticated evolution in PowerShell-based ransomware, combining advanced technical capabilities with psychological manipulation tactics designed to maximize victim compliance. Its modular architecture, comprehensive anti-analysis features, and multiple persistence mechanisms make it a significant threat to organizations across various sectors.

Key characteristics that distinguish VerdaCrypt include:

  • A fully PowerShell-based implementation that reduces the detection footprint
  • Sophisticated encryption approach targeting over 100 file types across multiple categories
  • Comprehensive security disabling capabilities when run with administrative privileges
  • Multiple propagation methods including USB drives and network scanning
  • Philosophical framing of extortion demands to manipulate victims psychologically

Organizations can protect themselves by implementing defense-in-depth strategies with specific focus on PowerShell security, maintaining robust offline backups, implementing access controls that follow the principle of least privilege, and developing comprehensive incident response plans. As ransomware continues to evolve, maintaining vigilance and implementing proactive security measures remains the most effective approach to mitigating these sophisticated threats.

VerdaCrypt should be considered a high-priority threat due to its technical sophistication and the comprehensive nature of its attack capabilities. Security teams should implement the detection and mitigation strategies outlined in this analysis to protect their organizations from this emerging threat.

Gridinsoft Team
Gridinsoft Team

Founded in 2003, GridinSoft LLC is a Kyiv, Ukraine-based cybersecurity company committed to safeguarding users from the ever-growing threats in the digital landscape. With over two decades of experience, we have earned a reputation as a trusted provider of innovative security solutions, protecting millions of users worldwide.

Articles: 139

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Fake Elon Musk in the X Token Presale Scam
X Token Presale Scam: Crypto Investment Fraud
How to Remove Trojan Emotet
How to Remove Trojan Emotet: Complete Removal Guide
How to Remove Poshukach Browser Hijacker Complete Removal Guide
How to Remove Poshukach Browser Hijacker: Complete Removal Guide
How to Remove Trojan Dridex
How to Remove Trojan Dridex: Complete Removal Guide