VerdaCrypt Ransomware: Analysis of the PowerShell-Based Cryptoviral Extortion Tool

VerdaCrypt represents a PowerShell-based ransomware that combines advanced encryption techniques with psychological manipulation to extort victims. Employing a modular architecture with anti-analysis capabilities, this ransomware targets critical data across multiple file types with AES-256 encryption. The threat actor behind VerdaCrypt, self-identified as the “Kugutsushi subdivision,” uses philosophically-framed extortion messages and demands payment through cryptocurrency. This analysis examines VerdaCrypt’s technical implementation, distribution vectors, targeted file types, and provides comprehensive mitigation strategies for organizations to protect against this evolving threat.

Introduction to VerdaCrypt Ransomware

VerdaCrypt is a newly discovered ransomware variant that represents a concerning evolution in PowerShell-based malware. First identified in April 2025, this ransomware combines sophisticated encryption techniques with advanced anti-analysis capabilities and psychological manipulation tactics. What sets VerdaCrypt apart from other ransomware families is its modular architecture, philosophical framing of extortion demands, and comprehensive targeting of sensitive data types.

The ransomware identifies itself as a product of the “Kugutsushi subdivision,” a previously undocumented threat actor. Unlike many ransomware strains that focus solely on encryption speed, VerdaCrypt prioritizes stealth, persistence, and psychological impact, making it particularly dangerous to targeted organizations.

This analysis is based on the examination of a PowerShell script named “Verdacrypt-Z.ps1” and related intelligence gathered from security researchers and incident response teams. The threat demonstrates both technical sophistication and social engineering expertise, positioning it as a significant concern for organizations across multiple sectors.

Technical Features of VerdaCrypt Ransomware

VerdaCrypt exhibits several advanced technical characteristics that make it particularly effective and difficult to detect or mitigate:

• PowerShell-based implementation: The ransomware is primarily written in PowerShell, allowing it to operate without dropping traditional executable files that might trigger antivirus detection.
• Modular architecture: VerdaCrypt employs a modular design with separate components for core functionality, persistence, encryption, anti-detection, propagation, and payload delivery, allowing the threat actors to easily update or customize specific capabilities.
• Hybrid encryption system: Uses AES-256 for file encryption with RSA-2048 for key protection, making decryption without the attacker’s private key mathematically infeasible.
• Comprehensive targeting: The ransomware targets over 100 different file extensions across multiple categories including documents, media files, archives, database files, and development files.
• Shadow copy elimination: Before beginning encryption, VerdaCrypt systematically deletes Windows Volume Shadow Copies to prevent easy recovery of files.
• Anti-analysis techniques: The ransomware includes sophisticated capabilities to detect virtual machines, sandbox environments, and security tools, with different evasion behaviors based on the environment detected.
• Cross-process operation: VerdaCrypt can inject itself into legitimate Windows processes like explorer.exe and svchost.exe to evade detection and maintain persistence.
• Multi-stage propagation: The ransomware attempts to spread via USB drives using autorun.inf and LNK file exploitation techniques.

One of the most notable aspects of VerdaCrypt is its active disabling of security features. The ransomware attempts to disable Windows Defender, Windows Firewall, and other security protections through registry modifications and service tampering, significantly increasing the risk of successful encryption if executed with administrative privileges.

Targeted File Types and Encryption Strategy

VerdaCrypt casts an extraordinarily wide net in terms of targeted file types, focusing on maximum impact across various data types that might be valuable to victims. The ransomware targets over 100 different file extensions across multiple categories:

The encryption process follows a sophisticated methodology:

1. File discovery: The ransomware scans multiple directories, including user profiles, cloud storage locations, application data, and development environments to locate valuable files.
2. Key generation: For each infection, VerdaCrypt generates a unique AES-256 key and a secure initialization vector (IV).
3. Batch processing: Files are encrypted in batches to optimize performance, with the potential for parallel encryption on multi-core systems.
4. In-place encryption: Rather than creating new files, the ransomware encrypts files in-place and then changes their extension to “.verdant”.
5. Key protection: The AES key used for file encryption is itself encrypted using RSA-2048, ensuring that only the attackers’ private key can unlock the files.

The encryption routine includes checks to avoid encrypting files already in use by the system, which helps the ransomware maintain stealth by not crashing the operating system during encryption. This selective approach coupled with the wide range of targeted file types maximizes the likelihood of encrypting critical user data.

Distribution and Infection Methods

VerdaCrypt employs multiple sophisticated distribution techniques to reach its targets. Based on the analysis of the PowerShell script and related intelligence, the following primary infection vectors have been identified:

• Phishing campaigns: Carefully crafted emails containing the PowerShell script as an attachment or links to download the script from compromised or attacker-controlled websites.
• Living-off-the-land techniques: The ransomware may be deployed using legitimate PowerShell features, potentially bypassing application whitelisting and other security controls.
• Supply chain compromises: Evidence suggests possible distribution through compromised software updates or packages to target specific organizations.
• Remote access exploitation: Targeting of exposed RDP, VPN, or other remote access services to manually deploy the ransomware within compromised networks.

Once executed, VerdaCrypt demonstrates a comprehensive approach to establishing persistence:

1. Registry modifications: Creates autorun keys in multiple registry locations to survive system reboots.
2. Scheduled tasks: Establishes scheduled tasks with multiple triggers to ensure consistent execution even if some are discovered and removed.
3. WMI event subscriptions: Creates persistent WMI event subscriptions that trigger the ransomware when specific system events occur.
4. DLL hijacking: Attempts to perform DLL hijacking on certain system libraries if administrative privileges are obtained.
5. Process injection: Injects malicious code into legitimate processes like explorer.exe and svchost.exe to evade detection.

A particularly concerning aspect of VerdaCrypt is its attempt to spread within networks and via removable media:

• USB propagation: Creates hidden copies of itself on USB drives, along with malicious LNK files designed to appear as legitimate folders like “Documents” or “Photos” to trick users into executing the ransomware.
• Autorun exploitation: Places autorun.inf files on USB drives to automatically launch when connected to vulnerable systems.
• Network scanning: Searches for open network shares to encrypt remote files and potentially spread to other systems.

These distribution and persistence techniques demonstrate a level of sophistication typically associated with advanced threat actors, suggesting that VerdaCrypt may be operated by an experienced cybercriminal group with significant technical expertise.

Ransom Demands and Threat Actor Behavior

One of the most distinctive aspects of VerdaCrypt is its ransom note, which differs from typical ransomware in both style and content. The ransom note titled “!!!_READ_ME_!!!.txt” employs sophisticated language and philosophical framing to manipulate victims:

Y O U R D I G I T A L E X I S T E N C E H A S B E E N C O M P R O M I S E D.

INTRUSION PROTOCOL: VERDACRYPT - INITIATED.

Your critical infrastructure has suffered a catastrophic security event. A sophisticated cryptoviral payload, designated VerdaCrypt, has successfully breached your system's perimeter and executed a multi-layered encryption cascade. All sensitive data, including but not limited to proprietary documents, personal archives, multimedia assets, and databases, are now rendered cryptographically inert and irretrievable without our intervention.

ONTOLOGICAL DILEMMA: DATA SOVEREIGNTY & THE TRANSCENDENCE OF VALUE.

Consider this not merely an act of digital extortion, but a stark ontological reassessment of your data's intrinsic worth. In this hyper-connected, late-capitalist paradigm, information is the ultimate commodity. You have operated under the illusion of control, hoarding digital wealth without acknowledging its inherent precarity. We are the catalysts of disruption, forcing a necessary reckoning with the ephemeral nature of digital sovereignty. Your data, now under our dominion, will only regain utility through a transactional exchange – a tribute to its true, albeit previously unacknowledged, value.

RECOVERY PROCEDURE: THE PATH TO DIGITAL REBIRTH.

While your current digital state is one of enforced entropy, a path to restoration exists. We possess the asymmetric decryption keys necessary to reverse the algorithmic entropy we have imposed. However, access to this vital instrument is contingent upon your adherence to the following directives:

1. SYSTEMIC QUIESCENCE MANDATORY: Cease all unauthorized remediation attempts. Any interference with the encrypted file system may induce irreversible data corruption and invalidate any potential for decryption. Further, any attempts at forensic analysis or network tracing will be met with escalated countermeasures.

2. SECURE CHANNEL ESTABLISHMENT VIA PROTONMAIL: Initiate encrypted communication through the Protonmail platform. Contact us at: dendrogaster_88095@protonmail.com. Utilize a separate, uncompromised device for this communication.

3. FINANCIAL TRANSCENDENCE PROTOCOL: Prepare for a financial exchange commensurate with the value you ascribe to your compromised data. Detailed payment instructions, including the precise Bitcoin (BTC) quantum required for decryption key acquisition, will be provided upon initial contact. Be advised: the value proposition is dynamic and subject to escalation based on temporal delays and perceived resistance.

CONSEQUENCES OF NON-COMPLIANCE: DIGITAL OBLITERATION.

Failure to adhere to these directives will result in the permanent cryptographic lockdown of your data assets. Furthermore, depending on the perceived recalcitrance and value of the exfiltrated data, we may initiate a phased data dissemination protocol, exposing your proprietary information to public and competitive vectors. Your digital legacy hangs in the balance.

VerdaCrypt - Kugutsushi subdivision.

This ransom note reveals several key insights about the threat actor:

• Sophisticated psychological tactics: The use of philosophical terminology and concepts creates an intellectual framing that attempts to normalize the extortion and position the attackers as sophisticated operators rather than criminals.
• Double-extortion strategy: The threat of data dissemination (“phased data dissemination protocol”) suggests the ransomware may also exfiltrate data before encryption, enabling additional leverage through threatened leaks.
• Organizational structure: The reference to “Kugutsushi subdivision” implies a structured criminal organization with different operational units, potentially indicating a larger threat actor ecosystem.
• Operational security focus: The instructions to use Protonmail for secure communications and warnings against forensic analysis demonstrate sophisticated operational security practices.

Rather than specifying a fixed ransom amount in the initial note, VerdaCrypt’s operators require victims to establish contact first, allowing for dynamic pricing based on the victim’s perceived ability to pay. This negotiation-based approach is increasingly common among sophisticated ransomware operations, maximizing profits by tailoring demands to each victim’s circumstances.

The Kugutsushi subdivision referenced in the note appears to be a new or previously undocumented threat actor, with no public reports linking them to other known ransomware operations as of April 2025. The name “Kugutsushi” has Japanese origins, potentially referring to puppet masters or manipulators, though this cultural reference may be deliberate misdirection rather than an indication of the attackers’ actual nationality or identity.

Technical Indicators of Compromise

Organizations should monitor for the following indicators that may suggest a VerdaCrypt infection or attack in progress:

File System Artifacts

# Primary ransomware script and variants
%TEMP%\*.ps1
C:\ProgramData\*.ps1
C:\Users\[username]\AppData\Roaming\*.ps1
WindowsUpdate.ps1 (USB drives)

# Ransom note
!!!_READ_ME_!!!.txt

# Encrypted files
*.verdant

# Persistence mechanisms
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.ps1
%TEMP\cleanup.ps1
%TEMP\script_*.ps1
%TEMP\launcher.c
%TEMP\launcher.dll

Registry Modifications

# Persistence registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate*
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*

# UAC bypass registry modifications
HKCU:\Software\Classes\ms-settings\shell\open\command
HKCU:\Software\Classes\mscfile\shell\open\command

# Security disabling registry modifications
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen = 0
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0

Process and Command Line Indicators

# Suspicious PowerShell execution
powershell.exe -WindowStyle Hidden
powershell.exe -ExecutionPolicy Bypass
powershell.exe -EncodedCommand

# Shadow copy deletion commands
vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy delete
wbadmin.exe delete catalog -quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

# Security service tampering
sc.exe create Windows* binPath= "powershell.exe*"
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Network Indicators

# Communication with C2 infrastructure
Connections to protonmail.com from compromised systems
DNS or HTTPS requests to newly registered domains
Anomalous data transfer patterns
Connections to cryptocurrency-related domains

# Network scanning activity
SMB enumeration
Active Directory queries

YARA Rule for Detection

The following YARA rule can help detect VerdaCrypt Ransomware components:

rule VerdaCrypt_Ransomware_2025 {
    meta:
        description = "Detects VerdaCrypt Ransomware PowerShell script"
        author = "TrojanKiller Research Team"
        date = "2025-04"
        hash = "a1ec0e24579de82840b019831252d73784f4ea5c4c16461103176bcc40cc1376"
        severity = "high"
    
    strings:
        $ps_header = "#" nocase wide ascii
        $ps_function1 = "function Write-Log" wide ascii
        $ps_function2 = "function Test-AlreadyRunning" wide ascii
        $ps_function3 = "function Invoke-FileEncryption" wide ascii
        $ps_function4 = "function Register-Persistence" wide ascii
        
        $ransom1 = "YOUR DIGITAL EXISTENCE HAS BEEN COMPROMISED" nocase wide ascii
        $ransom2 = "VERDACRYPT - INITIATED" nocase wide ascii
        $ransom3 = "ONTOLOGICAL DILEMMA" nocase wide ascii
        $ransom4 = "Kugutsushi subdivision" nocase wide ascii
        
        $email = "dendrogaster_88095@protonmail.com" wide ascii
        
        $encryption1 = "AES-256" nocase wide ascii
        $encryption2 = ".verdant" wide ascii
        $encryption3 = "EncryptData" nocase wide ascii
        
    condition:
        ($ps_header at 0) and
        (2 of ($ps_function*)) and
        (1 of ($ransom*) or $email) and
        (1 of ($encryption*)) and
        filesize < 2MB
}

Mitigation and Protection Strategies

Protecting against VerdaCrypt ransomware requires a defense-in-depth approach. Organizations should implement the following protective measures:

Immediate Preventive Measures

• PowerShell security:
  • Enable PowerShell logging and script block logging to detect malicious scripts
  • Implement Constrained Language Mode in PowerShell to limit malicious capabilities
  • Use AppLocker or Software Restriction Policies to limit PowerShell execution
  • Configure AMSI (Anti-Malware Scan Interface) to scan PowerShell scripts before execution
• Email security:
  • Implement advanced email filtering to detect and block phishing attempts
  • Block or scan attachments that could contain PowerShell scripts
  • Perform regular phishing awareness training for all employees
• Endpoint protection:
  • Ensure Windows Defender or third-party antivirus is enabled and updated
  • Enable Controlled Folder Access to prevent unauthorized file encryption
  • Deploy EDR (Endpoint Detection and Response) solutions to detect suspicious behaviors
  • Implement application whitelisting to prevent unauthorized executables
• Access controls:
  • Apply the principle of least privilege across the environment
  • Limit administrative privileges and use PAM (Privileged Access Management) solutions
  • Implement User Account Control (UAC) and ensure it cannot be bypassed

Technical Defenses Against VerdaCrypt-Specific Techniques

• Protecting against security feature disabling:
  • Use Tamper Protection in Windows Defender to prevent security settings from being changed
  • Configure Group Policy to enforce security settings and prevent user modifications
  • Implement monitoring for attempts to modify security settings
• Preventing persistence:
  • Audit and monitor autorun locations in the registry
  • Monitor creation of scheduled tasks and WMI event subscriptions
  • Deploy a solution that can detect and prevent DLL hijacking attempts
• Blocking propagation:
  • Disable autorun functionality for removable media
  • Implement network segmentation to limit lateral movement
  • Control and monitor access to network shares with sensitive data
  • Consider implementing USB device control

Recovery Preparedness

• Robust backup strategy:
  • Implement the 3-2-1 backup rule: three copies of data on two different media types with one copy offsite
  • Ensure backups are immutable or write-once to prevent tampering
  • Regularly test backup restoration processes
  • Keep backups segregated from the main network to prevent compromise
• Incident response planning:
  • Develop and regularly test a ransomware-specific incident response plan
  • Establish clear roles and responsibilities for responding to a ransomware attack
  • Pre-establish communications channels that would remain available during an attack
  • Consider engaging with professional incident response services before an attack
• Business continuity planning:
  • Identify critical business functions and develop manual workarounds
  • Establish recovery time objectives for essential services
  • Prepare templates for communicating with stakeholders during an incident

As we’ve noted in our comprehensive malware removal guide, preventive measures are far more effective than reactive responses. Organizations should regularly test their systems with security tools like specialized anti-malware solutions to identify and remediate vulnerabilities before they can be exploited by threats like VerdaCrypt.

Comparison with Other Ransomware Families

VerdaCrypt shares similarities with several known ransomware families while also demonstrating unique characteristics that set it apart:

Similarities to Existing Threats

PowerShell Implementation: Like fileless malware variants, VerdaCrypt leverages PowerShell to operate without dropping traditional executable files. This approach is similar to other script-based ransomware like PowerWare and Phobos variants, which use PowerShell to reduce their detection footprint.

Multi-Stage Execution: The multi-stage attack chain used by VerdaCrypt resembles sophisticated threats like Sarcoma Group Ransomware, which similarly uses a sequence of different techniques to establish persistence and evade detection before beginning encryption.

Philosophical Framing: The philosophical tone of VerdaCrypt’s ransom note bears similarities to Sauron Ransomware, which also uses sophisticated language to create a sense of inevitability and normalize the extortion process. Both attempt to position themselves as intellectual actors rather than common criminals.

Unique Characteristics

Modular Architecture: Unlike many ransomware families that operate as monolithic executables, VerdaCrypt’s modular design allows the threat actors to easily update specific capabilities or customize the ransomware for different targets. This modularity is more common in advanced persistent threats (APTs) than in traditional ransomware.

USB Propagation: While some ransomware families can spread laterally within networks, VerdaCrypt’s specific capabilities for USB propagation are more reminiscent of older worms like Conficker than modern ransomware, representing a concerning return to physical vector attacks.

Cultural References: The “Kugutsushi subdivision” branding and philosophical framing suggest a threat actor with different cultural influences than the Eastern European groups typically associated with major ransomware operations.

Threat Evolution Implications

VerdaCrypt represents several concerning trends in ransomware evolution:

1. Increased sophistication in script-based malware: The comprehensive capabilities packed into a PowerShell script demonstrate that fileless or script-based malware can be just as dangerous as traditional executable ransomware.
2. Convergence of criminal and APT techniques: VerdaCrypt incorporates techniques typically associated with nation-state actors, suggesting continued blurring of lines between financially motivated and espionage-oriented threats.
3. Return to physical propagation vectors: The emphasis on USB propagation may signal renewed interest in targeting air-gapped networks or organizations with strong perimeter defenses.

The emergence of VerdaCrypt follows a general trend toward more customized, targeted ransomware operations, often with deeper psychological manipulation components. This evolution suggests ransomware operators are becoming more sophisticated in both their technical implementation and their extortion strategies.

Conclusion

VerdaCrypt represents a sophisticated evolution in PowerShell-based ransomware, combining advanced technical capabilities with psychological manipulation tactics designed to maximize victim compliance. Its modular architecture, comprehensive anti-analysis features, and multiple persistence mechanisms make it a significant threat to organizations across various sectors.

Key characteristics that distinguish VerdaCrypt include:

• A fully PowerShell-based implementation that reduces the detection footprint
• Sophisticated encryption approach targeting over 100 file types across multiple categories
• Comprehensive security disabling capabilities when run with administrative privileges
• Multiple propagation methods including USB drives and network scanning
• Philosophical framing of extortion demands to manipulate victims psychologically

Organizations can protect themselves by implementing defense-in-depth strategies with specific focus on PowerShell security, maintaining robust offline backups, implementing access controls that follow the principle of least privilege, and developing comprehensive incident response plans. As ransomware continues to evolve, maintaining vigilance and implementing proactive security measures remains the most effective approach to mitigating these sophisticated threats.

VerdaCrypt should be considered a high-priority threat due to its technical sophistication and the comprehensive nature of its attack capabilities. Security teams should implement the detection and mitigation strategies outlined in this analysis to protect their organizations from this emerging threat.