“PowerWare,” New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word
“PowerWare” is a new instance of ransomware utilizing native tools, such as PowerShell on operating systems. “Traditional” ransomware variants typically install new malicious files on the system, which, in some instances, can be easier to detect. “PowerWare” asks PowerShell, a core utility of current Windows systems, to do the dirty work. By leveraging PowerShell, this ransomware attempts to avoid writing new files to disk and tries to blend in with more legitimate computer activity.
For the “PowerWare” test sample we ran, we opened a “malicious” Word document.
In this example, if the user enables the macros to run, cmd.exe will be spawned to launch a pair of instances of PowerShell: one that downloads the ransomware script and another that starts PowerShell with the script as input.
The process tree is in the command line in the screenshot below:
Below is a snippet of the “PowerWare” script. In the first few lines, it generates some random numbers to be used to compute the key for the encryption, as well as for the UUID assigned to this endpoint. Then, the URL to post the key to is defined, and this information is sent to the attacker controlled host via HTTP – in plain text.
Next, the commands for creating the actual key to be used in the encryption, the initialization vector, and other crypto parameters are in view.
Finally, the script goes through the file system, encrypting every file with a given extension (extensions noted below).
Attackers have also included an HTML file in every folder that had a file encrypted, named FILES_ENCRYPTED-READ_ME.HTML, detailing how an affected user can get their files back.
Indicators of Compromise