CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



PowerWare Ransomware Abuses PowerShell, Office Macros

A new fileless ransomware family has been discovered, which abuses Windows’ PowerShell for nefarious activities, a novel approach to ransomware, Carbon Black researchers warn.

A new fileless ransomware family has been discovered, which abuses Windows’ PowerShell for nefarious activities, a novel approach to ransomware, Carbon Black researchers warn.

Dubbed PowerWare, this piece of malware is being delivered via a more traditional method, namely macro-enabled Microsoft Word documents, but it no longer writes malicious files to disk, as most ransomware does. Instead, it calls for PowerShell, a core utility of current Windows systems, to perform malicious operations, thus attempting to blend in with more legitimate computer activity.

Ransomware has evolved over the past several months to become one of the biggest threats to both consumers and enterprises, courtesy of families such as CryptoWall, Locky, and Teslacrypt. Ransomware is often delivered via malicious emails and via Exploit Kits, and cybercriminals appear determined to employ new techniques to make their malware more efficient.

Most recently, ransomware started attacking hospitals, and PowerWare first emerged in a campaign targeting a healthcare organization, Carbon Black researchers reveal. The ransomware is delivered via malicious Word documents that use embedded macros to spawn “cmd.exe” on the target computer, which in turn calls PowerShell to download and run the PowerWare code.

Researchers noticed that, as soon as the user enables the macros to run in the malicious document, cmd.exe spawns and launches two instances of PowerShell, one to download the ransomware script, and the second to start with the script as input. The script generates random numbers for the encryption key and for the UUID assigned to the endpoint.

The script also sends the information to the attacker controlled host via HTTP, and does that in plain text, an approach that actually creates an operational weakness. Basically, users who have a full capture packet solution can analyze the traffic to identify the right domain and IP info and retrieve the encryption key.

After communicating with the command and control server, the script encrypts files that have specific extensions (it can encrypt a broad range of file formats, the researchers found out). The ransomware also includes an HTML file in every folder with encrypted files, providing users with information on how they can regain access to their files and demanding a $500 ransom (which doubles after two weeks).

While PowerWare’s behavior is different from that of popular ransomware families out there, the use of PowerShell to perform file encryption on compromised systems is not new, but was observed in 2014 by Sophos researchers analyzing a piece of Russian ransomware. Cybercriminals have been abusing PowerShell in other malware as well, with the most recent example being PowerSniff.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...