Security Experts:

Connect with us

Hi, what are you looking for?



PowerWare Ransomware Abuses PowerShell, Office Macros

A new fileless ransomware family has been discovered, which abuses Windows’ PowerShell for nefarious activities, a novel approach to ransomware, Carbon Black researchers warn.

A new fileless ransomware family has been discovered, which abuses Windows’ PowerShell for nefarious activities, a novel approach to ransomware, Carbon Black researchers warn.

Dubbed PowerWare, this piece of malware is being delivered via a more traditional method, namely macro-enabled Microsoft Word documents, but it no longer writes malicious files to disk, as most ransomware does. Instead, it calls for PowerShell, a core utility of current Windows systems, to perform malicious operations, thus attempting to blend in with more legitimate computer activity.

Ransomware has evolved over the past several months to become one of the biggest threats to both consumers and enterprises, courtesy of families such as CryptoWall, Locky, and Teslacrypt. Ransomware is often delivered via malicious emails and via Exploit Kits, and cybercriminals appear determined to employ new techniques to make their malware more efficient.

Most recently, ransomware started attacking hospitals, and PowerWare first emerged in a campaign targeting a healthcare organization, Carbon Black researchers reveal. The ransomware is delivered via malicious Word documents that use embedded macros to spawn “cmd.exe” on the target computer, which in turn calls PowerShell to download and run the PowerWare code.

Researchers noticed that, as soon as the user enables the macros to run in the malicious document, cmd.exe spawns and launches two instances of PowerShell, one to download the ransomware script, and the second to start with the script as input. The script generates random numbers for the encryption key and for the UUID assigned to the endpoint.

The script also sends the information to the attacker controlled host via HTTP, and does that in plain text, an approach that actually creates an operational weakness. Basically, users who have a full capture packet solution can analyze the traffic to identify the right domain and IP info and retrieve the encryption key.

After communicating with the command and control server, the script encrypts files that have specific extensions (it can encrypt a broad range of file formats, the researchers found out). The ransomware also includes an HTML file in every folder with encrypted files, providing users with information on how they can regain access to their files and demanding a $500 ransom (which doubles after two weeks).

While PowerWare’s behavior is different from that of popular ransomware families out there, the use of PowerShell to perform file encryption on compromised systems is not new, but was observed in 2014 by Sophos researchers analyzing a piece of Russian ransomware. Cybercriminals have been abusing PowerShell in other malware as well, with the most recent example being PowerSniff.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.