Skip to main content

The latest ransomware harasses users by encrypting tax return documents

A hacker inputting code into a system.
Image used with permission by copyright holder
Security firm Trend Micro reports that a new crypto-ransomware called PowerWare is now targeting tax return files created by tax filing programs, such as files with the extensions “.tax2013” or “.tax2014.” The firm says that this ransomware abuses Windows PowerShell for its infection routine, which is “uncommon” for this type of infection. But that’s not all. PowerWare is capable of encrypting other files stored on a computer too, not just tax files.

The infection begins with a malicious macro embedded within a Microsoft Word document. This document is typically spread through emails, downloaded by the target user, and opened in Microsoft Word. If macros aren’t enabled by default, the document instructs the target user to flip the feature on. Once that’s done, the macro executes a string of code in the background.

Recommended Videos

According to the code, “cmd” is used by the macro to launch an instance of Powershell.exe. A PowerWare ransomware script, written in Powershell, is then downloaded and saved in the Windows Temporary folder as “Y.ps1.” The code then loads up another Powershell instance to run the PowerWare crypto-ransomware on the machine.

Please enable Javascript to view this content

The target will see the resulting encrypted file along with an HTML file named “FILES_ENCRYPTED-READ_ME.HTML.” When the user opens up the HTML file in a browser, they’re told to pay $500 or 1.188 BTC by a certain deadline in order to get the file un-encrypted. Fail to meet the deadline? The price is then doubled.

The instructions for getting a file un-encrypted include downloading the Multibit application, purchasing Bitcoins, and then submitting the BTC address, UUID, and email address to the hacker. Once that is completed, the infected user must then upload one encrypted file to Sendspace.com, and then paste that resulting address into a form along with the user’s UUID and email address.

“Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent,” the firm reports. “It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing ‘CryptoWall Decript Service.’ In a way, PowerWare wants the same impact as CryptoWall once had.”

For big companies, this new crypto-ransomware infection could be a big pain. As the firm points out, taxpayers are recommended to keep copies of tax return files for three years after filing them because the statute of limitations for assessment of taxes and refunds is three years as well. PowerWare is also a big headache for companies because it can map out network drives, meaning it can encrypt a huge load of files spread out across the company network.

Trend Micro recommends that consumers and companies alike backup their files on a regular basis. They should create at least three copies of one file, save them in at least two formats, and send one of those copies off-site. Of course, never open up an attachment in an email sent from an unknown source.

The new PowerWare infection’s official label is RANDOM_POWERWARE.A, and is defined here on Trend Micro’s threat encyclopedia. Other files that it encrypts include *.docx, *.xls *.mp3, *.txt, *.zip, and loads more. Naturally, several products from Trend Micro can detect PowerWare, so take a look at the instructions for removing this infection towards the bottom of the definition page.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Your Netgear router might be an open door for hackers
The Netgear Nighthawk XR1000v2 router placed on a desk next to its packaging box

Netgear has released a security advisory addressing two critical vulnerabilities affecting Nighthawk Pro Gaming routers and certain Wi-Fi 6 access points. The company strongly recommends that users update their devices' firmware promptly to mitigate potential risks.

The first vulnerability, identified as PSV-2023-0039, is a Remote Code Execution (RCE) flaw. This security issue allows attackers to execute arbitrary code on affected devices remotely, potentially leading to unauthorized control over the router. The second vulnerability, PSV-2021-0017, is an authentication bypass flaw, which enables attackers to circumvent authentication mechanisms and gain unauthorized access to the device's management interface.

Read more
Turns out, it’s not that hard to do what OpenAI does for less
OpenAI's new typeface OpenAI Sans

Even as OpenAI continues clinging to its assertion that the only path to AGI lies through massive financial and energy expenditures, independent researchers are leveraging open-source technologies to match the performance of its most powerful models -- and do so at a fraction of the price.

Last Friday, a unified team from Stanford University and the University of Washington announced that they had trained a math and coding-focused large language model that performs as well as OpenAI's o1 and DeepSeek's R1 reasoning models. It cost just $50 in cloud compute credits to build. The team reportedly used an off-the-shelf base model, then distilled Google's Gemini 2.0 Flash Thinking Experimental model into it. The process of distilling AIs involves pulling the relevant information to complete a specific task from a larger AI model and transferring it to a smaller one.

Read more
New MediaTek Chromebook benchmark surfaces with impressive speed
Asus Chromebook CX14

Many SoCs are being prepared for upcoming 2025 devices, and a recent benchmark suggests that a MediaTek chipset could make Chromebooks as fast as they have ever been this year.

Referencing the GeekBench benchmark, ChromeUnboxed discovered the latest scores of the MediaTek MT8196 chip, which has been reported on for some time now. With the chip being housed on the motherboard codenamed ‘Navi,’ the benchmark shows the chip excelling in single-core and multi-core benchmarks, as well as in GPU, NPU, and some other tests run.

Read more