14 DAY TRIAL // A new version of the PowerWare ransomware that was first spotted last March tries to imitate the more famous and powerful Locky ransomware, but luckily, researchers have found a way to unlock the files encrypted by it.
PowerWare, spotted in March by security researchers from Carbon Black, is only a more complex version of the PoshCoder ransomware that was first seen in 2014.
PowerWare always tried to pass as other ransomware variants
From its early beginnings, this ransomware lacked in both sophistication and personality, always trying to pass as another more sophisticated piece of ransomware, first as CryptoWall and later as TeslaCrypt.
PowerWare's March variant also sought to mimic TeslaCrypt, but seeing how TeslaCrypt's authors decided to shut down their operations in mid-May, PowerWare's creators were forced to drop the TeslaCrypt screen and adopt a new veil.
According to Palo Alto Networks, they chose Locky, and they chose well since this is one of today's most active ransomware variants.
Current versions of PowerWare append the .locky file extension to encrypted files, use the same ransom notes as Locky, word-by-word, and even employ the same graphics and wording on their ransom payment site as the Locky alternative.
The resemblance is not an accident, and the reason behind it is the fact that PowerWare's authors want to hide an inferior ransomware family under the reputation of a more powerful threat.
Weak encryption routine leads to the creation of a PowerWare decrypter
Palo Alto researchers observed that PowerWare, which uses PowerShell for the file encryption operations, employs an AES-128 algorithm to encrypt data but doesn't generate a random key, nor does it retrieve keys from a server, instead using one that's embedded in its source code.
As such, Palo Alto researchers have capitalized on this design weakness and have created a Python script that users can run from the Windows CLI and decrypt their files.
Another sign that this is a poor attempt at creating a ransomware family is the fact that PowerWare only encrypts the first 2048 bytes of the targeted files, showing the author's lack of skills, or lackadaisical attitude towards creating a proper threat. Jakub Kroustek, security researcher for AVG, has told Softpedia that previous versions of PowerWare also employed this simple algorithm that only encrypted the first 2048 bytes of targeted files.
