HackDig : Dig high-quality web security articles for hackers

PowerWare Ransomware Abuses Microsoft Word and PowerShell to Infect Users

2016-03-25 21:15

During the past week, we've seen new strains of ransomware discovered each day. Today's newest ransomware variant is PowerWare, identified by US-based security firm Carbon Black on the computers of one of their clients, an unnamed healthcare facility.

As with all ransomware families identified this week, this one has a kink of its own, and it appears to be its mode of operation, never seen before in other ransomware strains.

PowerWare uses a combination of Word files, macro scripts, and Microsoft's PowerShell scripting language to infect victims with its deadly payload.

PowerWare arrives as a booby-trapped Word file

In spite of its innovative methods, the ransomware still relies on old-school infection tactics that start with spam email arriving in the victim's inbox.

The emails contain a Word document as attachment, which if opened, uses cleverly wrote messages to trick users into disabling Office's Protected View mode, and then enabling macro support.

Two clicks later, the infection chain starts when a malicious macro script connects online and retrieves a file called cmd.exe, which it then launches into execution. This file then calls upon the Microsoft PowerShell utility, included by default with all modern Windows operating systems, and executes a series of commands.

These commands will first generate an RSA-2048 encryption key, send the key to PowerWare's C&C server, and then start the encryption process.

PowerWare exposes encryption key when sending it to the C&C server

Once everything is encrypted, the ransom note is displayed on the user's screen, asking the user for the equivalent of around $500 in Bitcoin, a sum that doubles after two weeks.

The good news is that if users, or corporate entities are running a traffic logging system, they could retrieve the original encryption key because PowerWare's author has not taken any measures to protect it, sending it to the C&C server in cleartext via HTTP.

Otherwise, the decryption of local files for free is not possible, and users are only left with two options, and that's paying the ransom or recovering their files from an offline source.

Other ransomware families discovered this week included Petya, Maktub Locker, Xorist, Surprise, and Samas. Additionally, this week Microsoft also announced a new feature in Office 2016 which makes it possible for network admins to block macros in files that come from the Internet.

PowerWare ransom screen
PowerWare ransom screen

Source: Wat1yclNXdiFWLlJXY312bz5WYy1SZyF2dyV2dvB3LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:4990 | Comments:0 | Tags:Virus alerts

“PowerWare Ransomware Abuses Microsoft Word and PowerShell to Infect Users”0 Comments

Submit A Comment



Blog :

Verification Code: