The Powerware ransomware abuses Microsoft Word and PowerShell to infect users. There is a very lesser chance that you can get your files back. Recently researchers are discovering new forms of ransomware day after day.

The latest variant of ransomware is known as “PowerWare”. It has been identified by the US security firm “Carbon Black” on the computer of one of its clients, an unidentified health clinic.

Hackers Using Microsoft Word To Infect Your PC

As with all the other families of ransomware identified this week, this variant “PowerWare” has its custom feature, and, in this case, it appears that they operate in such a way that was never seen or seen identified before in other families of ransomware. “PowerWare” uses a combination of Word files, scripts, macros, and Microsoft PowerShell language to infect their victims with their dangerous payload.

PowerWare comes as an infected Word file

Without being affected by its innovative methods, ransomware continues to depend on its old strategy, which begins with the infected spam emails of the victims.

The emails contain a malicious Word document as an attachment. Once opened, it uses written messages very carefully to trick the user into disabling the protected view mode in Microsoft Office and then activating the support for macros.

Two clicks later, the infection chain begins its work; when the malicious macro script connects to the Internet, it retrieves a file named cmd.exe and executes it immediately.

This file activates the Microsoft PowerShell utility, spreading into the whole operating system and executing a series of commands. These commands generate an encryption key known as RSA-2048 first, then send the encryption key to the home server console PowerWare, and finally begin encrypting the entire computer or system.

Once everything is encrypted successfully, a message or text is shown on the user’s screen or display, which asks the user to pay $500 in bitcoins for the rescue, which also becomes twice in two weeks.

The good news is that if the user or the corporate entity is running a system of traffic logging, then they may be able to recover the original encrypted key.

However, the users can not decrypt the computer or local files without the encryption key, so that users will have only two options or choices, the first one is to pay the ransom, and the second one is to recover their files from an offline source.

Here we found a few names of other families of ransomware that were discovered this week are (Petya, Maktub Locker, Xorist, Surprise, and Samas).

Moreover, this week Microsoft has also announced a new feature of Office 2016, which will make it possible for system administrators to block macros files that come from the Internet.


Please enter your comment!
Please enter your name here