Home > Ransomware > PowerWare – The Fileless Ransomware

PowerWare – The Fileless Ransomware

Update! Research indicates that current versions of PowerWare append the .locky file extension to the victim’s encrypted files, drop the same ransom notes as Locky, and even use the same graphics and phrases on their ransom payment site. The good news, however, is that the ransomware is now decryptable. PowerWare uses an AES-128 algorithm, but it doesn’t generate a random key and it doesn’t retrieve keys from a server. Instead the crypto virus uses a key which is embedded in its source code. Thanks to this weakness, Palo Alto researchers have created a Python script available for users to run from the Windows CLI to decrypt their files.


A new ransomware was discovered on a Healthcare network by Carbon Black security researchers. The ransomware is dubbed PowerWare, and it uses Windows PowerShell to deploy its payload. It is spread via emails containing a Microsoft Word document with an invoice message inside it. Enabling editing on the document releases the payload as a script of commands in PowerShell, thus avoiding creating new files and consequently, detection.

Threat Summary



Type Ransomware
Short Description The ransomware uses Windows PowerShell to deploy its payload.
Symptoms The user’s files are encrypted and unusable.
Distribution Method E-mails and attachments.
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join our forum to discuss PowerWare.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does PowerWare Ransomware Spread?

PowerWare ransomware is spread through e-mails. These emails are very well written and contain a Microsoft Word document as an attachment. Perhaps e-mails which are written with proper grammar are the main reason more people fall for the deception, compared to others. The Microsoft Word document includes the following invoice message:


Image Source: carbonblack.com

The invoice wants you to enable the editing feature in Microsoft Word so that the payload can be released. As that feature is inbuilt like Microsoft Word and PowerShell themselves, the malware avoids detection.

Technical Information about PowerWare Ransomware

The most unique thing about PowerWare is that it is a fileless ransomware. We have seen fileless malware before in the form of the Poweliks Trojan and a version of the Angler Exploit Kit for example.

Fileless, as in staying hidden in memory and creating absolutely no additional files for its payload to be executed. Instead, the Microsoft Windows PowerShell program is used to encrypt files. This happens with the help of macro commands embedded in a script, loaded into PowerShell. Random numbers are used as an individual encryption key. The key, along with a generated URL for where to pay the ransom are both sent back to the cybercriminals. That information is written in plain text, so people with a full packet capture device should be able to access it and recover their files.

In the unfortunate event of encryption, all file locations will be scanned thoroughly by the PowerWare ransomware. The files that can be encrypted are with the following extensions:


Image Source: carbonblack.com

After completing the encryption, you will see instructions describing how the ransom to be paid. The ransom note, first seen on CryptoWall 3.0 is used and looks like this:


Paying the ransomware makers is NOT advised. No one can guarantee that you will get your files decrypted. The money will be spent on creating more malware or for other nefarious deeds.

Prevent PowerWare Ransomware from Infecting You

If you are infected by PowerWare ransomware, the commands are executed and there is nothing to be removed. In case you are not infected, you should have an anti-malware tool installed as a prevention method. Malware specialists should have set the new definitions for the known Word documents containing the malicious script.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree