PowerWare, also known as PoshCoder, is a type of fileless ransomware that targets Windows OS, especially systems within the healthcare sector. This variant spreads via phishing emails containing Word documents labeled as invoices that are embedded with malicious macros. When these malicious attachments are opened, the executable leverages PowerShell to deliver the payload to the targeted system and encrypt the victim’s files. This technique prevents PowerWare from raising any red flags by not writing any files to disk and blending in with legitimate activity on the system.
UPDATE 7/22/2016: A newer version of PowerWare has been discovered imitating the Locky ransomware family.