PowerWare Ransomware

PowerWare Ransomware also known as PoshCoder is a Trojan-type infection designed to encrypt your personal files and demand that you pay a ransom in exchange for the decryption key and the decryption program. We urge you not to pay the ransom because you might not get them. Indeed, you cannot trust the cyber criminals to keep their word because they are not concerned with you getting your files back. All they care about is making money, so we suggest that you remove it from your PC. In this short description, we will discuss its functions, encryption, distribution, and so on. So if your PC has been infected with it, then please continue reading.

Let us begin with this ransomware’s dissemination methods to determine how your computer might have been infected with it. We have discovered that PowerWare Ransomware is distributed using email spam that is disguised as a legitimate email. The emails can be disguised as invoices, receipts and so on, but the most important thing is that they contain a Microsoft Office Word document. The document’s text may appear distorted so the email may ask you to enable macros on Microsoft Word. If you have done this, then this is how your computer became infected with this ransomware.

We have recently observed a new trend in ransomware development that involves using PowerShell script to run the ransomware. There is an infection called Anonpop Ransomware that uses a similar method and a Trojan that is not particularly a ransomware called Trojan Vawtrak that uses this same method as well. PowerShell script is used to bypass antimalware programs and infect your computer secretly. Therefore, these programs do not have to rely on traditionally used executables that antimalware scanners pay the most attention to.

Our research has revealed that the malicious .docx file runs the malicious code through cmd.exe which calls the PowerShell options that will run the malicious PowerWare Ransomware code named fixed.ps1. The malicious Powershell code is placed in a folder created specifically for hosting it. The folder is placed in %TEMP%\Quest Software\PowerGU. The folder in question is randomly named, and the name consists of 36 symbols.

Once everything is in place the ransomware scans the computer for particular file formats that include but are not limited to .docx, .xls, .pdf, .xlsx, .mp3, .jpeg, .jpg, .txt, .rtf, .doc, .rar, and so on and begin their encryption. Note that this program is configured to encrypt more than a hundred file formats, so it will encrypt almost all files on your PC with the exception of system files needed to boot and run the operating system. It encrypts the files with unique RSA-2048 and AES-128 encryption ciphers and uploads the private key to a remote server controlled by the cyber criminals. PowerWare Ransomware encrypts not the entire file but the first 2048 bytes of it and appends the file names with the .locky extension name.

After the encryption is complete, the ransomware creates a file called _HELP_instructions.html that acts as the ransom note and contains information on how to pay the ransom. The file also contains a personal ID number that is tied to the private key needed to decrypt your files. Furthermore, once the encryption is complete, the file fixed.ps1 deletes itself from your computer. The amount of money to be paid is not specified, and the Tor web pages listed in the ransom note were offline at the time of the research so paying the ransom is not possible in such as scenario. At any rate, we have received information that the cyber criminals want you to pay 500 USD in Bitcoins. However, the ransomware is set to increase to 1000 USD after two weeks of not paying it.

PowerWare Ransomware’s developers demand a hefty ransom in exchange for the decryption tool and key, and it may be uneconomical to pay it, especially if you have backups of the most important files. This ransomware’s encryption is not strong, so we will probably see a third-party decryption tool soon, so you can wait for it to decrypt your files for free. As mentioned, this ransomware is set to remove itself but in the event it does not, we have created a guide that will help in locating them.

Removal Guide

1. Delete the malicious .docx file from its location.
2. Press Windows+E keys.
3. Enter %TEMP%\Quest Software\PowerGUI in the address box.
4. Locate the 36-symbol named folder end enter it.
5. Delete the fixed.ps1 file if found.
6. Delete the _HELP_instructions.html files wherever you find them.