Ransomware which identifies as a different type of Bitcoin ransomware is not something we see every day. Scare and intimidation tactics are not uncommon in the world of malware and malicious tools, though. Powerware, a new ransomware recently discovered seems to take on the appearance of Locky. The goal is rather simple: scare victims into paying the Bitcoin ransom.
PowerWare Is PiggyBacking in An Odd Way
As if ransomware is not a big enough threat, things get even more interesting when one malware tries to be something else. The latest variant of the PowerWare ransomware is riding on the Locky coattails, as the developers hope to increase their revenue by employing this tactic.
What this new version of PowerWare does is use the same file extension to encrypt data as if Locky would be involved. Moreover, the same ransom note is being used, and the help instructions are a clear copy of the Locky message.An interesting tactic for sure, although it remains to be seen how successful this approach will be.
It has to be said; PowerWare is one of the less powerful types of ransomware in the wild today. With static hard-coded encryption keys and its “weaker” psychological approach, PowerWare has not been a significant source of revenue so far. Mimicking a more powerful and evolved version of malware puts a different spin on things for sure.
To be more precise, it is possible to decrypt PowerWare with a very simple Python script. Security researchers of Unit 42 put together this script quite some time ago, which lets users restore file access without paying a dime. It is not the first time ransomware can be decrypted with relative ease, so PowerWare is not the exception in this regard.
What is even more surprising is how PowerWare has been attempting to intimidate other ransomware versions in the past. One particular version of this malware contained the same ransom note as found in CryptoWall, one of the most dangerous types of malware to date. But different strains of PowerWare contained references to TeslaCrypt variants as well.
The distribution method of PowerWare is unique, though.Using macro-enabled Word Documents has become the new trend to distribute malicious software on a large scale. Moreover, the software cloaks its activities by using Windows Powershell, which can be found in any version of the modern Windows operating system.
For now, when users get infected with Bitcoin ransomware, make sure to check out which version it is. Any reference to PowerWare means it can be decrypted free of charge. If it turns out to be Locky, though, things are very different. Always make sure to back up important files on a regular basis, and keep antivirus software up-to-date at all times.
Source: Threatpost
Header image courtesy of Shutterstock