SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Firewall
PowerWare ransomware imitates locky malware family
Mon, 1st Aug 2016
FYI, this story is more than a year old
By Tyler Halfpop - Jacob Soo, Palo Alto Networks
Follow us

Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. The malware is responsible for encrypting files on a victim's machine and demanding a ransom via the Bitcoin cryptocurrency.

In addition to using the ‘.locky' filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. This is not the first time PowerWare has imitated other malware families, as earlier versions have been known to use the CryptoWall ransom note. Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family.

Unit 42 has written a Python script that will recursively seek out .locky files on a victim machine and restore them to their original state. The decrypter can be found here.

The following screenshot shows an example of the script running on an infected Windows machine.

It is our hope that this script will assist victims that have been affected by this variant of PowerWare.

While this sample may appear to be new, it is in fact a variant of the previously discovered PowerWare malware family. Unlike other variants, this sample purports to be the Locky malware family.

Palo Alto Networks customers are protected from this threat in the following ways:

  • All domains and IP addresses associated with this malware are correctly flagged as malicious.
  • All samples encountered within this campaign are correctly identified as malicious by WildFire.
  • An AutoFocus tag exists for the tracking and identification of this malware family.
Related stories
Half of online traffic in 2024 generated by bots, report finds
Spirent partners with online payments platform to boost cyber defenses
Understanding the key to boosting cybersecurity habits: Kaspersky study
Axis unveils hybrid cloud platform for adaptable security solutions
Keeper Security launches user-friendly passphrase generator
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services