This allowed us to immediately know that the malware was using the PowerShell script editor that converts PowerShell scripts to Microsoft executable files.įigure 1 PowerGUI referenced within the decompiled malware variant NET decompilation program named dnSpy, we witnessed the word “PowerGUI” from Quest Software. After careful inspection of the malware using a.
Initial analysis of PowerWare showed that this sample is a. locky files on a victim machine and restore them to their original state. Unit 42 has written a Python script that will recursively seek out. Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family. This is not the first time PowerWare has imitated other malware families, as earlier versions have been known to use the CryptoWall ransom note. In addition to using the ‘.locky’ filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. The malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the Bitcoin cryptocurrency. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family.
0 kommentar(er)
