PowerWare ransomware variant poses as Locky, but can be decrypted
A new PowerWare variant imitates the Locky ransomware by, among other tactics, appending a .locky filename extension to encrypted files. Fortunately, the files can be decrypted.
According to Palo Alto Networks, whose Unit 42 threat research team made the recent discovery, the variant attaches a .locky filename extension on files it encrypts to sell the notion that Locky is behind the attack. It also writes an HTML-based ransom note with directions borrowing the exact wording found in Locky's note. And it provides a website that includes Bitcoin payment instructions that refer to a Locky decryptor.
Despite efforts to imitate Locky, PowerWare (aka PoshCoder) cannot mask the fact that its encryption can currently be broken, due to use of a hardcoded key during its AES 128 encryption process, Palo Alto explains in a blog post. Indeed, the research firm has written a free Python script that decrypts PowerWare's .locky files.