PowerWare ransomware, a new fileless threat in the wild

Experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits PowerShell, the native Windows framework.

Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Yesterday I wrote about the new Petya ransomware, which overwrites MBR causing a blue screen of death, now I will introduce you a threat targeting the healthcare industry.

The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm.

The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.

“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Valdez said.

“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”

“This means no ‘traditional’ malware – no additional executable needed – just a text document (script).”

The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.

Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.

Pierluigi Paganini

(Security Affairs – PowerWare ransomware , cybercrime)