Ransomware has been the dominant nuisance to cyber security in 2016 thus far, and doesn’t seem to show any signs of slowing down. In recent news, the main target of a ransomware attack has been hospitals and health care organizations that have been left paying ransoms to unlock their encrypted files. The Carbon Black Threat Research team exposed a new strain of ransomware, that they have called “PowerWare”, after a failed phishing attack targeted at a healthcare organization. Attackers can now target organizations via Microsoft Word and PowerShell, the scripting language integral to Microsoft operating systems. It is a relatively simple, yet deceptive code that utilizes PowerShell to do its heavy lifting. Typically, ransomware will install malicious files onto the victim’s system, but through use of PowerShell, PowerWare is able to avoid writing these new codes and attempts to blend in with the victim’s authentic computer activity.
The attacker will send a user an email with a Word document attachment and when the user opens the file, they are directed to enable macros. In doing so, the command center is opened and the malicious script can be entered, and will blend into the background. The system will then be locked down until a ransom is paid.
“Our research found that PowerWare is delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to spawn “cmd.exe,” which in turn calls PowerShell with options that will download and run the malicious PowerWare code,” according to Carbon Black researchers Rico Valdez and Mike Sconzo. The attackers initially ask for a $500 USD ransom, which eventually increases to $1000 USD after two weeks.
[i] Image retrieved from Carbon Black
In a statement to SC Magazine, Tim Erlin, Tripwire’s Director of IT Security and Risk Strategy said “ransomware authors are always trying to evolve to avoid detection, and using built-in Windows capabilities makes the malicious activity less noticeable. This ransomware may change its encryption technique, but it still requires an entry point onto the system. Malicious Word files sent through emails and the use of Microsoft Office macros is tried-and-true vector for this new malware.”
We recommend that the best practice to follow is to back up your data to a secure external hard drive. It can be hard for organizations to constantly be monitoring their systems, and even harder to ensure their employees do not fall victim to phishing and malware email attacks. Ensuring your data is backed up, can minimize the severity of such attacks, and save your organization from being held hostage for money. You should also ensure anti-virus is actively running on your devices and to keep it up to date.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.
[i] To see more details from Carbon Black, read here: