One example of the PowerWare variant.

Image Source: Trend Micro

PowerWare, also known as PoshCoder, is a type of fileless ransomware that targets Windows OS, especially systems within the healthcare sector. This variant spreads via phishing emails containing Word documents labeled as invoices that are embedded with malicious macros. When these malicious attachments are opened, the executable leverages PowerShell to deliver the payload to the targeted system and encrypt the victim’s files. This technique prevents PowerWare from raising any red flags by not writing any files to disk and blending in with legitimate activity on the system.

UPDATE 7/22/2016: A newer version of PowerWare has been discovered imitating the Locky ransomware family.

  • Carbon Black has more information about PowerWare available here.
  • Palo Alto Networks has released a free decryption tool for the latest version of PowerWare here.