There is a tiny chance that you may get your files back

Mar 25, 2016 23:55 GMT  ·  By

This week, we have seen new strains of ransomware discovered each day. Today's newest ransomware variant is PowerWare, identified by US-based security firm Carbon Black on the computers of one of their clients, an unnamed healthcare facility.

As with all ransomware families identified this week, this one has a kink of its own, and it appears to be its mode of operation, never before seen in other ransomware strains.

PowerWare uses a combination of Word files, macro scripts, and Microsoft's PowerShell scripting language to infect victims with its deadly payload.

PowerWare arrives as a booby-trapped Word file

In spite of its innovative methods, the ransomware still relies on old-school infection tactics that start with spam email arriving in the victim's inbox.

The emails contain a Word document as an attachment, which, if opened, uses cleverly written messages to trick the user into disabling Office's Protected View mode and then enabling macro support.

Two clicks later, the infection chain starts when a malicious macro script connects online and retrieves a file called cmd.exe, which it then launches into execution. This file then calls upon the Microsoft PowerShell utility, included by default with all modern Windows operating systems, and executes a series of commands.

These commands will first generate an RSA-2048 encryption key, send the key to PowerWare's C&C server, and then start the encryption process.

PowerWare exposes encryption key when sending it to the C&C server

Once everything is encrypted, the ransom note is displayed on the user's screen, asking them for the equivalent of around $500 in Bitcoin, a sum that doubles after two weeks.

The good news is that if users or corporate entities are running a traffic logging system, they could retrieve the original encryption key because PowerWare's author did not take any measures to protect it, sending it to the C&C server in cleartext via HTTP.

Otherwise, the decryption of local files for free is not possible, and users are only left with two options, and that's paying the ransom or recovering their files from an offline source.

Other ransomware families discovered this week included Petya, Maktub Locker, Xorist, Surprise, and Samas. Additionally, this week Microsoft also announced a new feature in Office 2016 that makes it possible for network admins to block macros in files that come from the Internet.

PowerWare ransom screen
PowerWare ransom screen

Photo Gallery (2 Images)

New PowerWare ransomware discovered
PowerWare ransom screen
Open gallery