PowerWare Ransomware Abuses Microsoft Word and PowerShell to Infect Users

[Batu69]

There is a tiny chance that you may get your files back

 PowerWare ransom screen

 

During the past week, we've seen new strains of ransomware discovered each day. Today's newest ransomware variant is PowerWare, identified by US-based security firm Carbon Black on the computers of one of their clients, an unnamed healthcare facility.

As with all ransomware families identified this week, this one has a kink of its own, and it appears to be its mode of operation, never seen before in other ransomware strains.

PowerWare uses a combination of Word files, macro scripts, and Microsoft's PowerShell scripting language to infect victims with its deadly payload.

PowerWare arrives as a booby-trapped Word file

In spite of its innovative methods, the ransomware still relies on old-school infection tactics that start with spam email arriving in the victim's inbox.

The emails contain a Word document as attachment, which if opened, uses cleverly wrote messages to trick users into disabling Office's Protected View mode, and then enabling macro support.

Two clicks later, the infection chain starts when a malicious macro script connects online and retrieves a file called cmd.exe, which it then launches into execution. This file then calls upon the Microsoft PowerShell utility, included by default with all modern Windows operating systems, and executes a series of commands.

These commands will first generate an RSA-2048 encryption key, send the key to PowerWare's C&C server, and then start the encryption process.

PowerWare exposes encryption key when sending it to the C&C server

Once everything is encrypted, the ransom note is displayed on the user's screen, asking the user for the equivalent of around $500 in Bitcoin, a sum that doubles after two weeks.

The good news is that if users, or corporate entities are running a traffic logging system, they could retrieve the original encryption key because PowerWare's author has not taken any measures to protect it, sending it to the C&C server in cleartext via HTTP.

Otherwise, the decryption of local files for free is not possible, and users are only left with two options, and that's paying the ransom or recovering their files from an offline source.

Other ransomware families discovered this week included Petya, Maktub Locker, Xorist, Surprise, and Samas. Additionally, this week Microsoft also announced a new feature in Office 2016 which makes it possible for network admins to block macros in files that come from the Internet.

Article source

[straycat19]

As long as they rely on attachments or hyperlinks then we are totally safe since we allow neither in our email system.  They are automatically removed.  Anyone that doesn't do this is dumber than a box of rocks and has no business using the term security in any of their conversations.