New PowerWare Ransomware Variant Mimics Locky

Palo Alto Networks’ Unit 42 team has reported the discovery of a new PowerWare ransomware variant that pretends it is Locky in an attempt to fool users into paying the ransom demand. At present there is no decryption tool available to unlock files that have been locked by Locky ransomware, although decryption tools do exist to unlock PowerWare ransomware infections.

PowerWare ransomware was first discovered in March 2016, although it has been around in a different format since 2014 when it was known as PoshCoder. PoshCoder also mimicked other ransomware variants in an attempt to get users to think that there was no way of recovering files without paying the ransom. In the past, PoshCoder has used the same ransom notes that were used by the gangs behind TeslaCrypt and CryptoWall.

The new PowerWare ransomware variant encrypts users’ files using AES-128 encryption, although a static key is used which has made it possible to develop a decryption tool. The decryption tool from Palo Alto Networks is a Python script that is able to extract the key and decrypt infected files locked by PowerWare.

However, many PowerWare ransomware victims may end up paying the ransom in the belief they have been infected with Locky. The same language is used for the ransom note as has been used for Locky infections. The note offers the victim the Locky decryptor in exchange for a $500 payment paid in Bitcoin. To help with the deception, the new PowerWare ransomware variant also adds the .locky extension to encrypted files.

As with Locky, PowerWare is distributed via spam email and uses malicious Word macros. If an email recipient is convinced to open the malicious file attachment and run the macro, it will launch PowerShell which is used to download the ransomware onto the device.

While a decryption tool is available to unlock PowerWare infections, there is no telling how long it will remain effective. Ransomware authors frequently update their malicious software and correct flaws that have been exploited by security companies. The next release of PowerWare may not be such an easy nut to crack. It is therefore essential to ensure that a viable backup of files exists to enable recovery without paying the ransom.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of