In March, this year, the security researches noticed a new version of PowerWare ransomware which tries to imitate the popular Locky ransomware. However, what is more important for users, is the fact that the experts have also found a way to unlock the files encrypted by PowerWare.
The researchers from Carbon Black noticed PowerWare ransomeware in March, this year. The threat is just a more complex version of the PoshCoder ransomware which was first spotted in 2014. From the very beginning, PowerWare ransomware lacked in both sophistication and personality, trying hard to pass as another more sophisticated ransomware, first as CryptoWall, and later as TeslaCrypt.
The March version of PowerWare also sought to pass as TeslaCrypt, but when they saw how TeslaCrypt’s authors decided to cease their operations in May, the developers of PowerWare’s had no choice except to give up the screen of TeslaCrypt and pick up a new cover.
The experts from Palo Alto Networks claim that the PowerWare’s creators chose Locky, and they made a good choice, as this is one of the most active ransomware variants nowadays.
The most recent versions of PowerWare append the .locky file extension to encrypted files, use the same ransom notes as Locky, word-by-word, and even employ the same graphics and wording on their ransom payment website as the Locky alternative.
Of course, the similarities between PowerWare and Locky are not an accident, due to the fact that the creators of PowerWare want to hide an inferior ransomware family under the reputation of a more powerful threat.
The security experts from Palo Alto reported that PowerWare, which uses PowerShell for the file encryption operations, uses an AES-128 algorithm to encrypt data, but it doesn’t generate a random key, nor does it retrieve keys from a server, instead, using one that’s embedded in its source code.
Considering the above-mentioned fact, Palo Alto experts have capitalized on this design weakness and have created a Python script which ransomeware victims can run from the Windows CLI and decrypt their files.
Besides, the fact that PowerWare only encrypts the first 2048 bytes of the targeted files, showing its developer’s lack of skills, or lackadaisical attitude to creating a proper threat, shows that this is a poor attempt of creating a ransomware family.
The security researcher from AVG Jakub Kroustek, said that the previous versions of PowerWare have also employed the simple algorithm which only encrypted the first 2048 bytes of the targeted files.