As with all the other families of ransomware are identified this week, but, this variant “PowerWare” has its own custom feature, and, in this case, it appears that they operate in such way, which was never been seen or identified before in other families of ransomware. “PowerWare” uses a combination of Word files, scripts, macros, and Microsoft PowerShell language to infect their victims with their dangerous payload.
PowerWare comes as infected Word file
Without being affected by its innovative methods, ransomware continues to depend on its old strategy which begins with the infected spam emails of the victims. The emails contain a malicious Word document as an attachment, which once opened, it uses written messages very carefully to trick the user to disable the protected view mode in Microsoft Office and then activate the support for macros. Just two clicks later, the infection chain begins its work, when the malicious macro script connects to the Internet, it retrieves a file named cmd.exe, which was executed immediately. This file activates the Microsoft PowerShell utility, which starts spreading into the whole operating system, and executes a series of commands. These commands generate an encryption key which known as RSA-2048 first, and then send the encryption key to the home server console PowerWare, and finally begin the process of encrypting the entire computer or system. Once everything is encrypted successfully, a message or text shown on the user’s screen or display, which ask the user to pay $500 in bitcoins for the rescue, which also becomes twice in two weeks. The good news is that if the user or the corporate entity is running a system of traffic logging, then may be able to recover the original encrypted key. However, the users can not decrypt the computer or local files without the encryption key, so users will have only two options or choices, first one is to pay the ransom and the second one is to recover your files from an offline source. Here we found few names of other families of ransomware, that were discovered this week are (Petya, Maktub Locker, Xorist, Surprise and Samas). Moreover, this week Microsoft has also announced a new feature of Office 2016 which will make it possible for the system administrators to block macros files that come from the Internet.