sb-nz logo
Story image

PowerWare ransomware imitates locky malware family

01 Aug 2016

Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. The malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the Bitcoin cryptocurrency.

In addition to using the ‘.locky’ filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. This is not the first time PowerWare has imitated other malware families, as earlier versions have been known to use the CryptoWall ransom note. Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family.

Unit 42 has written a Python script that will recursively seek out .locky files on a victim machine and restore them to their original state. The decrypter can be found here.

The following screenshot shows an example of the script running on an infected Windows machine.

It is our hope that this script will assist victims that have been affected by this variant of PowerWare.

While this sample may appear to be new, it is in fact a variant of the previously discovered PowerWare malware family. Unlike other variants, this sample purports to be the Locky malware family.

Palo Alto Networks customers are protected from this threat in the following ways:

  • All domains and IP addresses associated with this malware are correctly flagged as malicious.
  • All samples encountered within this campaign are correctly identified as malicious by WildFire.
  • An AutoFocus tag exists for the tracking and identification of this malware family.

Article by Tyler Halfpop & Jacob Soo, Palo Alto Networks

Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
ThreatQuotient & Infoblox integrate threat intelligence capabilities
“Together, our integration eases the consumption of threat intelligence from various internal and external sources to ensure that intelligence is accurate, relevant and timely to an organisation’s business.”More
Story image
Research: NZ easy-pickings for cyber-criminals
One in ten businesses would be willing to pay $50,000-plus to retrieve ransomed data and half aren’t aware of the incoming data privacy laws.More
Story image
Data leakage concerns dominate cloud security perceptions - Bitglass report
How secure is the public cloud? That’s what many IT and security professionals are asking as data leakage becomes a pressing concern for organisations and their data protection strategies.More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Why 2021 will be the year of catch-up
The transition to remote work and new online contactless business models is not temporary and is affecting the future strategy on how organisations invest in cybersecurity, writes Radware vice president and managing director for EMEA and LATAM, Rob Hartley.More