Incident Response, Malware, TDR

PowerWare ransomware variant poses as Locky, but can be decrypted

The ransomware PowerWare that commandeers Microsoft's PowerShell utility to download and run malicious code, now has a variant that mirrors Locky ransomware. 

According to Palo Alto Networks, whose Unit 42 threat research team made the recent discovery, the variant attaches a .locky filename extension on files it encrypts to sell the notion that Locky is behind the attack. It also writes an HTML-based ransom note with directions borrowing the exact wording found in Locky's note. And it provides a website that includes Bitcoin payment instructions that refer to a Locky decryptor. 

Despite efforts to imitate Locky, PowerWare (aka PoshCoder) cannot mask the fact that its encryption can currently be broken, due to use of a hardcoded key during its AES 128 encryption process, Palo Alto explains in a blog post. Indeed, the research firm has written a free Python script that decrypts PowerWare's .locky files.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.