A new variant of ransomware using Windows PowerShell to encrypt files is targeting users in the United States, according to a Sunday post by Mark Manahan, threat response engineer with Trend Micro.

Those infected by TROJ_POSHCODER.A will receive a message that states their files were encrypted and locked with a RSA4096 key, according to the post. Victims are then instructed to download the Tor browser and go to a specific website.

The website on the Tor network instructs victims to download the MultiBit Bitcoin wallet, to purchase one Bitcoin, and to submit a form after the Bitcoin is sent to a specific address, according to the post. The attackers claim they will email the “decryptor” within 12 hours of receiving the Bitcoin.

Recovery is only guaranteed for ten days, according to the post.