PowerWare, a new ransomware has been detected, which leverages Windows PowerShell to-do the work. The ransomware targets enterprises using Microsoft Word and PowerShell. PowerShell is the scripting language intrinsic to Microsoft operating systems. This ransomware mainly targets healthcare organizations.
The dubbed PowerWare ransomware is being circulated through a common attack method, phishing emails containing Word documents with malicious macros. The attack is impersonated as an invoice.
PowerWare is a new instance of ransomware employing native tools such as PowerShell on operating systems. Outdated ransomware variants generally install new malicious files on the system, which can be detected easily in some cases. PowerWare requests PowerShell, an essential utility of current Windows systems to do the job. The ransomware tries to neglect writing new files to disk and attempts to mix in with more genuine system activity, by using PowerShell as the support.
One of the most alluring features of PowerWare is that it is fileless. PowerWare is an unusual approach to ransomware, demonstrating a growing trend of malware authors thinking innovatively in delivering ransomware. PowerWare is misleadingly simple in code.
Windows PowerShell is used in various malware samples related to cyber espionage and not just used in ransomware. It offers very flexible functionality to work with the operating system of victims.
The PowerShell script is the simplest way to recover and deliver its payload. The progress shows that to begin their attacks, cyber-criminals are forming new variations of ransomware using macros.
In order to restore the encrypted files, the victims of PowerShell ransomware are asked to pay a ransom of $500, which doubles to $1000 after two weeks.
Organizations should step up their observance of phishing attacks, should disable macros and ensure system backups. It will be good if users avoid opening files with macros unless they are thoroughly sure that the file came from a trusted source. Using a powerful endpoint security solution like SecPod Saner can prevent your systems from being compromised. Through continuous visibility across thousands of endpoints, Saner can proactively detect threats and attacks and remediate them instantly.
Though PowerWare’s performance is different from that of popular ransomware families, the use of PowerShell to perform file encryption on the compromised system is traditional.
Fileless ransomware is expected to become popular. Ensure that your systems are protected and remain protected against threats.
– Rini Thomas