This article is more than 1 year old

Ransomware scum sling PowerShell, Word macro nasty at healthcare biz

PowerWare does its dirty work via booby-trapped files

Miscreants have put together a strain of ransomware written in Microsoft Word macros and PowerShell, Redmond's scripting language.

The malware is designed to infect organizations, encrypting files and demanding money to unscramble files. Interestingly, installation of the ransomware begins after someone opens a booby-trapped Word document, which runs macros to download and run the software nasty.

This means victims, who may be wise to not opening executables emailed to them, can be sent innocent-looking Word files and tricked into reading them, thus triggering an infection.

Security researchers at Carbon Black discovered the malware – dubbed PowerWare – after the code unsuccessfully targeted one of its healthcare customers with a phishing email campaign.

"PowerWare is delivered via a macro-enabled Microsoft Word document," Carbon Black explains. "The Word document then uses macros to spawn 'cmd.exe,' which in turn calls PowerShell with options that will download and run the malicious PowerWare code."

Victims of the malware are initially asked for a $500 ransom, but this doubles to $1,000 if it remains unpaid after two weeks.

More details on the malware can be found in a blog post by Carbon Black here.

Another strain of PowerShell ransomware was spotted by security researchers at Palo Alto Networks earlier this month. That strain, Powersniff, actively avoids healthcare and education machines, unlike PowerWare. ®

More about


Send us news

Other stories you might like