The ransomware called PowerWare was discovered by security company Carbon Black when a healthcare organization was targeted through a phishing email campaign. PowerWare targets organisations through a macro-enabled Microsoft Word document, such as a fake invoice. The document launches two instances of Powershell. One instance downloads the ransomware script and the other takes the script as input to run the malicious code to encrypt files on the target system and demand payment for releasing them. PowerWare asks for USD 500, at first, but the requested amount is doubled if the ransom is not paid after two weeks.
This approach of using PowerShell to retrieve and execute the malicious code means the ransomware can avoid writing new files to disk and blend in with legitimate activity, making it difficult to detect.
The Carbon Black researchers said organisations that have systems in place for full packet capture should be able to recover the encryption keys.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now