Technology / New ransomware attacks businesses through malicious Word documents

New ransomware attacks businesses through malicious Word documents

Researchers have discovered a new type of ransomware that attacks companies through malicious Microsoft Word documents and encrypts their data.


The malware, dubbed PowerWare, uses Windows core utility PowerShell to carry out its work so it can avoid installing more malicious files and can evade detection.

It was discovered after an unsuccessful attack on a healthcare organisation via a phishing campaign, according to the Carbon Black Threat Research team.

PowerWare is delivered via a Microsoft Word document that tricks the user into allowing macros to run. These then launch cmd.exe and use PowerShell to download and execute the malware.

From there, the effect is much the same as with other types of ransomware, with the malicious software encrypting users’ files and demanding a fee for their return.

According to an HTML file found in every affected folder, the price goes up from $500 to $1,000 after “a couple of weeks” if the user does not pay the ransom.

However, Carbon Black noticed the malware communicates with its server over a plain-text connection – including when it sends the encryption key – so security teams using full capture packet solutions may be able to decrypt the files themselves with this information.

Ransomware is a challenging and ongoing threat to businesses and private users alike.

New figures have shown that there were more ransomware infections at UK businesses in February 2016 than there were in the first six months of 2015.

Just this month, researchers discovered KeRanger, which they believe to be the first fully-functional ransomware for Apple’s Mac OS X operating system.

And previous research showed that more than half of the malware attacks recorded in 2015 also carried ransomware files, with one in ten ransomware emails addressed to UK users.

For more on the PowerWare ransomware, see the Carbon Black blog.