The ransomware PowerWare that commandeers Microsoft's PowerShell utility to download and run malicious code, now has a variant that mirrors Locky ransomware.
According to Palo Alto Networks, whose Unit 42 threat research team made the recent discovery, the variant attaches a .locky filename extension on files it encrypts to sell the notion that Locky is behind the attack. It also writes an HTML-based ransom note with directions borrowing the exact wording found in Locky's note. And it provides a website that includes Bitcoin payment instructions that refer to a Locky decryptor.
Despite efforts to imitate Locky, PowerWare (aka PoshCoder) cannot mask the fact that its encryption can currently be broken, due to use of a hardcoded key during its AES 128 encryption process, Palo Alto explains in a blog post. Indeed, the research firm has written a free Python script that decrypts PowerWare's .locky files.