Power Worm is a Ransomware written in Windows PowerShell. It uses PowerShell for its payload. It encrypts a user’s files on a compromised computer and demands a ransom for decrypting them. Unfortunately, a newer variant of the Ransomware has a bug in its code that cannot produce a valid key for decryption. Since there is only one key used for every victim, that deems all encrypted files unusable.
|Name||Power Worm Ransomware|
|Short Description||The Ransomware encrypts files with certain extensions and demands payment for their decryption.|
|Symptoms||Files become inaccessible after encryption; a ransom note is being created for each folder with encrypted files.|
|Distribution Method||Spam emails, malicious email attachments, compromised websites hosting exploit kits, probably social networks and file sharing services as well.(targeted attacks)|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Power Worm Ransomware|
|User Experience||Join our forum to follow the discussion about Power Worm Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Power Worm Ransomware – Distribution
There are a number of ways you could get infected with the Power Worm Ransomware.
The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.
Around social networks and file sharing services there could be similar attachments and files containing the Ransomware, disguised as something else.
Another common way of getting infected with the Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromise, to have some sort of a security breach.
Power Worm Ransomware – In Detail
The Power Worm Ransomware is classified as a Ransomware. It was first discovered back in 2014 by TrendMicro Researchers. The Ransomware is written in Windows PowerShell and it uses it when executing payloads. It encrypts files on a compromised computer containing an immensely wider array of extensions than previous variants and demands a ransom for decrypting them, afterwards. The known file extensions which the newer variant of the Power Worm Ransomware searches for are:
After files with any of the above extensions are found and encrypted, the Ransomware creates a DESCRYPTION_INSTRUCTION.html file for each folder with files. That ransom note instruction file is a copy of the Cryptowall one with a slight addition in the end, stating that the more time goes by, the bigger the ransom will get. The problem is that the AES algorithm encryption key used for locking the files has a programming error, which makes the files unrecoverable.
The user ID for every victim is always “qDgx5Bs8H”, which means that this variant of the Power Worm Ransomware was implemented to use only one, single static AES key under PowerShell. The biggest problem arises from the fact that this AES key is improperly padded (generating a NULL or empty value where it shouldn’t), which generates random keys instead of a static one. The author had not put into the malware’s code for random keys to be stored, thus the Ransomware is throwing away the decryption key, after encryption.
It gets even worse. The Ransomware initiates a PowerShell 54 line script that has the aim to delete your shadow volume copies so that you are unable to use them to restore your files that way.
The payment sites used in the ransom note are the following: lgemfolpt5ntjaot.onion.nu or lgemfolpt5ntjaot.onion. Ignore paying the ransom, as it will only get you a broken key in return for your money.
This proves that the Power Worm Ransomware is very dangerous and will deem your files utterly unusable after encryption – you should remove it immediately!
Remove Power Worm Ransomware Completely
To completely get rid of the Power Worm Ransomware from your computer, carefully follow the step-by-step removal instructions provided down below! There are no known ways to recover your encrypted files other than having backups on an external device or cloud somewhere.