Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Power Worm Ransomware Removal

Power Worm is a Ransomware written in Windows PowerShell. It uses PowerShell for its payload. It encrypts a user’s files on a compromised computer and demands a ransom for decrypting them. Unfortunately, a newer variant of the Ransomware has a bug in its code that cannot produce a valid key for decryption. Since there is only one key used for every victim, that deems all encrypted files unusable.

NamePower Worm Ransomware
TypeRansomware
Short DescriptionThe Ransomware encrypts files with certain extensions and demands payment for their decryption.
SymptomsFiles become inaccessible after encryption; a ransom note is being created for each folder with encrypted files.
Distribution MethodSpam emails, malicious email attachments, compromised websites hosting exploit kits, probably social networks and file sharing services as well.(targeted attacks)
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Power Worm Ransomware
User ExperienceJoin our forum to follow the discussion about Power Worm Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Power-worm-ransomware-ransom-note-cryptowall-copy-decrypt-instruction-html

Power Worm Ransomware – Distribution

There are a number of ways you could get infected with the Power Worm Ransomware.
The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.
Around social networks and file sharing services there could be similar attachments and files containing the Ransomware, disguised as something else.
Another common way of getting infected with the Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromise, to have some sort of a security breach.

Power Worm Ransomware – In Detail

The Power Worm Ransomware is classified as a Ransomware. It was first discovered back in 2014 by TrendMicro Researchers. The Ransomware is written in Windows PowerShell and it uses it when executing payloads. It encrypts files on a compromised computer containing an immensely wider array of extensions than previous variants and demands a ransom for decrypting them, afterwards. The known file extensions which the newer variant of the Power Worm Ransomware searches for are:

*.pdf,*.xls,*.docx,*.xlsx,*.mp3,*.waw,*.jpg,*.jpeg,*.txt,*.rtf,*.doc,*.rar,*.zip,*.psd,*.tif,*.wma,*.gif,*.bmp,*.ppt,*.pptx,*.docm,*.xlsm,*.pps,*.ppsx,*.ppd,*.eps,*.png,*.ace,*.djvu,*.tar,*.cdr,*.max,*.wmv,*.avi,*.wav,*.mp4,*.pdd,*.php,*.aac,*.ac3,*.amf,*.amr,*.dwg,*.dxf,*.accdb,*.mod,*.tax2013,*.tax2014,*.oga,*.ogg,*.pbf,*.ra,*.raw,*.saf,*.val,*.wave,*.wow,*.wpk,*.3g2,*.3gp,*.3gp2,*.3mm,*.amx,*.avs,*.bik,*.dir,*.divx,*.dvx,*.evo,*.flv,*.qtq,*.tch,*.rts,*.rum,*.rv,*.scn,*.srt,*.stx,*.svi,*.swf,*.trp,*.vdo,*.wm,*.wmd,*.wmmp,*.wmx,*.wvx,*.xvid,*.3d,*.3d4,*.3df8,*.pbs,*.adi,*.ais,*.amu,*.arr,*.bmc,*.bmf,*.cag,*.cam,*.dng,*.ink,*.jif,*.jiff,*.jpc,*.jpf,*.jpw,*.mag,*.mic,*.mip,*.msp,*.nav,*.ncd,*.odc,*.odi,*.opf,*.qif,*.xwd,*.abw,*.act,*.adt,*.aim,*.ans,*.asc,*.ase,*.bdp,*.bdr,*.bib,*.boc,*.crd,*.diz,*.dot,*.dotm,*.dotx,*.dvi,*.dxe,*.mlx,*.err,*.euc,*.faq,*.fdr,*.fds,*.gthr,*.idx,*.kwd,*.lp2,*.ltr,*.man,*.mbox,*.msg,*.nfo,*.now,*.odm,*.oft,*.pwi,*.rng,*.rtx,*.run,*.ssa,*.text,*.unx,*.wbk,*.wsh,*.7z,*.arc,*.ari,*.arj,*.car,*.cbr,*.cbz,*.gz,*.gzig,*.jgz,*.pak,*.pcv,*.puz,*.r00,*.r01,*.r02,*.r03,*.rev,*.sdn,*.sen,*.sfs,*.sfx,*.sh,*.shar,*.shr,*.sqx,*.tbz2,*.tg,*.tlz,*.vsi,*.wad,*.war,*.xpi,*.z02,*.z04,*.zap,*.zipx,*.zoo,*.ipa,*.isu,*.jar,*.js,*.udf,*.adr,*.ap,*.aro,*.asa,*.ascx,*.ashx,*.asmx,*.asp,*.indd,*.asr,*.qbb,*.bml,*.cer,*.cms,*.crt,*.dap,*.htm,*.moz,*.svr,*.url,*.wdgt,*.abk,*.bic,*.big,*.blp,*.bsp,*.cgf,*.chk,*.col,*.cty,*.dem,*.elf,*.ff,*.gam,*.grf,*.h3m,*.h4r,*.iwd,*.ldb,*.lgp,*.lvl,*.map,*.md3,*.mdl,*.mm6,*.mm7,*.mm8,*.nds,*.pbp,*.ppf,*.pwf,*.pxp,*.sad,*.sav,*.scm,*.scx,*.sdt,*.spr,*.sud,*.uax,*.umx,*.unr,*.uop,*.usa,*.usx,*.ut2,*.ut3,*.utc,*.utx,*.uvx,*.uxx,*.vmf,*.vtf,*.w3g,*.w3x,*.wtd,*.wtf,*.ccd,*.cd,*.cso,*.disk,*.dmg,*.dvd,*.fcd,*.flp,*.img,*.iso,*.isz,*.md0,*.md1,*.md2,*.mdf,*.mds,*.nrg,*.nri,*.vcd,*.vhd,*.snp,*.bkf,*.ade,*.adpb,*.dic,*.cch,*.ctt,*.dal,*.ddc,*.ddcx,*.dex,*.dif,*.dii,*.itdb,*.itl,*.kmz,*.lcd,*.lcf,*.mbx,*.mdn,*.odf,*.odp,*.ods,*.pab,*.pkb,*.pkh,*.pot,*.potx,*.pptm,*.psa,*.qdf,*.qel,*.rgn,*.rrt,*.rsw,*.rte,*.sdb,*.sdc,*.sds,*.sql,*.stt,*.t01,*.t03,*.t05,*.tcx,*.thmx,*.txd,*.txf,*.upoi,*.vmt,*.wks,*.wmdb,*.xl,*.xlc,*.xlr,*.xlsb,*.xltx,*.ltm,*.xlwx,*.mcd,*.cap,*.cc,*.cod,*.cp,*.cpp,*.cs,*.csi,*.dcp,*.dcu,*.dev,*.dob,*.dox,*.dpk,*.dpl,*.dpr,*.dsk,*.dsp,*.eql,*.ex,*.f90,*.fla,*.for,*.fpp,*.jav,*.java,*.lbi,*.owl,*.pl,*.plc,*.pli,*.pm,*.res,*.rsrc,*.so,*.swd,*.tpu,*.tpx,*.tu,*.tur,*.vc,*.yab,*.8ba,*.8bc,*.8be,*.8bf,*.8bi8,*.bi8,*.8bl,*.8bs,*.8bx,*.8by,*.8li,*.aip,*.amxx,*.ape,*.api,*.mxp,*.oxt,*.qpx,*.qtr,*.xla,*.xlam,*.xll,*.xlv,*.xpt,*.cfg,*.cwf,*.dbb,*.slt,*.bp2,*.bp3,*.bpl,*.clr,*.dbx,*.jc,*.potm,*.ppsm,*.prc,*.prt,*.shw,*.std,*.ver,*.wpl,*.xlm,*.yps,*.md3,*.1cd

After files with any of the above extensions are found and encrypted, the Ransomware creates a DESCRYPTION_INSTRUCTION.html file for each folder with files. That ransom note instruction file is a copy of the Cryptowall one with a slight addition in the end, stating that the more time goes by, the bigger the ransom will get. The problem is that the AES algorithm encryption key used for locking the files has a programming error, which makes the files unrecoverable.
The user ID for every victim is always “qDgx5Bs8H”, which means that this variant of the Power Worm Ransomware was implemented to use only one, single static AES key under PowerShell. The biggest problem arises from the fact that this AES key is improperly padded (generating a NULL or empty value where it shouldn’t), which generates random keys instead of a static one. The author had not put into the malware’s code for random keys to be stored, thus the Ransomware is throwing away the decryption key, after encryption.
It gets even worse. The Ransomware initiates a PowerShell 54 line script that has the aim to delete your shadow volume copies so that you are unable to use them to restore your files that way.
The payment sites used in the ransom note are the following: lgemfolpt5ntjaot.onion.nu or lgemfolpt5ntjaot.onion. Ignore paying the ransom, as it will only get you a broken key in return for your money.
Power-worm-ransomware-payment-site
This proves that the Power Worm Ransomware is very dangerous and will deem your files utterly unusable after encryption – you should remove it immediately!

Remove Power Worm Ransomware Completely

To completely get rid of the Power Worm Ransomware from your computer, carefully follow the step-by-step removal instructions provided down below! There are no known ways to recover your encrypted files other than having backups on an external device or cloud somewhere.

1. Boot Your PC In Safe Mode to isolate and remove Power Worm Ransomware
2. Remove Power Worm Ransomware with SpyHunter Anti-Malware Tool
3. Remove Power Worm Ransomware with Malwarebytes Anti-Malware.
4. Remove Power Worm Ransomware with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Power Worm Ransomware in the future
NOTE! Substantial notification about the Power Worm Ransomware threat: Manual removal of Power Worm Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.