Skip to main content
  1. Home
  2. Computing
  3. Business
  4. Web
  5. News

The latest ransomware harasses users by encrypting tax return documents

Add as a preferred source on Google

Security firm Trend Micro reports that a new crypto-ransomware called PowerWare is now targeting tax return files created by tax filing programs, such as files with the extensions “.tax2013” or “.tax2014.” The firm says that this ransomware abuses Windows PowerShell for its infection routine, which is “uncommon” for this type of infection. But that’s not all. PowerWare is capable of encrypting other files stored on a computer too, not just tax files.

The infection begins with a malicious macro embedded within a Microsoft Word document. This document is typically spread through emails, downloaded by the target user, and opened in Microsoft Word. If macros aren’t enabled by default, the document instructs the target user to flip the feature on. Once that’s done, the macro executes a string of code in the background.

Recommended Videos

According to the code, “cmd” is used by the macro to launch an instance of Powershell.exe. A PowerWare ransomware script, written in Powershell, is then downloaded and saved in the Windows Temporary folder as “Y.ps1.” The code then loads up another Powershell instance to run the PowerWare crypto-ransomware on the machine.

The target will see the resulting encrypted file along with an HTML file named “FILES_ENCRYPTED-READ_ME.HTML.” When the user opens up the HTML file in a browser, they’re told to pay $500 or 1.188 BTC by a certain deadline in order to get the file un-encrypted. Fail to meet the deadline? The price is then doubled.

The instructions for getting a file un-encrypted include downloading the Multibit application, purchasing Bitcoins, and then submitting the BTC address, UUID, and email address to the hacker. Once that is completed, the infected user must then upload one encrypted file to Sendspace.com, and then paste that resulting address into a form along with the user’s UUID and email address.

“Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent,” the firm reports. “It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing ‘CryptoWall Decript Service.’ In a way, PowerWare wants the same impact as CryptoWall once had.”

For big companies, this new crypto-ransomware infection could be a big pain. As the firm points out, taxpayers are recommended to keep copies of tax return files for three years after filing them because the statute of limitations for assessment of taxes and refunds is three years as well. PowerWare is also a big headache for companies because it can map out network drives, meaning it can encrypt a huge load of files spread out across the company network.

Trend Micro recommends that consumers and companies alike backup their files on a regular basis. They should create at least three copies of one file, save them in at least two formats, and send one of those copies off-site. Of course, never open up an attachment in an email sent from an unknown source.

The new PowerWare infection’s official label is RANDOM_POWERWARE.A, and is defined here on Trend Micro’s threat encyclopedia. Other files that it encrypts include *.docx, *.xls *.mp3, *.txt, *.zip, and loads more. Naturally, several products from Trend Micro can detect PowerWare, so take a look at the instructions for removing this infection towards the bottom of the definition page.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple’s M6 chip isn’t even here yet, but you’ll see M7 Macs early in 2027
Apple is reportedly already accelerating its next-generation silicon roadmap, even before the M6 has launched.
Apple MacBook

The M6 chip is still expected to debut later this year, but Apple may already be preparing for what comes next. According to Mark Gurman's latest report for Bloomberg, the company is aiming to introduce its first M7-powered devices as early as the first half of 2027, hinting at a much faster silicon refresh than many expected.

M7 could arrive alongside new Macs and iPads

Read more
The entry-level MacBook Pro could get a design refresh in 2027, and it’s about time
Five years on the same chassis, and now both tiers of the MacBook Pro are getting a new look at once.
MacBook Pro in space grey sitting on a desk.

Apple has a new MacBook Pro lined up for launch early next year, according to Bloomberg. The company will introduce a 14-inch laptop in the first half of 2027. 

The biggest surprise, however, will be a brand-new design language. The outlet describes it as "a revamped entry-level MacBook Pro, code-named K104."

Read more
Study finds humans will talk to AI ghosts of the dead as reincarnations, and it’s pretty grim
The first AI ghost study is in. The results are about as complicated as you'd expect.
VR Headset, Person, Face

A new study from the University of Colorado Boulder confirms something that sounds both impressive and concerning. People find interacting with AI simulations of their dead loved ones deeply meaningful, and most will come away wanting to do it again.

The researchers call it a "generative ghost," which is a clear reference to generative AI, but I’d still prefer to call it unsettling.

Read more