PowerWare ransomware, a new fileless threat in the wild

March 28, 2016  By Pierluigi Paganini


Experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits PowerShell, the native Windows framework.

Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Yesterday I wrote about the new Petya ransomware, which overwrites MBR causing a blue screen of death, now I will introduce you a threat targeting the healthcare industry.

The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm.

Powerware ransomware

The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.

“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Valdez said.

“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”

“This means no ‘traditional’ malware – no additional executable needed – just a text document (script).”

The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.

Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.

Pierluigi Paganini

(Security Affairs – PowerWare ransomware , cybercrime)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.








  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Remotely Exploitable Flaw in Truecaller Leaves 100 Million Android Devices Vulnerable

 Security researchers from the Cheetah Mobile Security Research Lab discovered a severe flaw in the call management application...