Skip to main content

The latest ransomware harasses users by encrypting tax return documents

A hacker inputting code into a system.
Security firm Trend Micro reports that a new crypto-ransomware called PowerWare is now targeting tax return files created by tax filing programs, such as files with the extensions “.tax2013” or “.tax2014.” The firm says that this ransomware abuses Windows PowerShell for its infection routine, which is “uncommon” for this type of infection. But that’s not all. PowerWare is capable of encrypting other files stored on a computer too, not just tax files.

The infection begins with a malicious macro embedded within a Microsoft Word document. This document is typically spread through emails, downloaded by the target user, and opened in Microsoft Word. If macros aren’t enabled by default, the document instructs the target user to flip the feature on. Once that’s done, the macro executes a string of code in the background.

According to the code, “cmd” is used by the macro to launch an instance of Powershell.exe. A PowerWare ransomware script, written in Powershell, is then downloaded and saved in the Windows Temporary folder as “Y.ps1.” The code then loads up another Powershell instance to run the PowerWare crypto-ransomware on the machine.

The target will see the resulting encrypted file along with an HTML file named “FILES_ENCRYPTED-READ_ME.HTML.” When the user opens up the HTML file in a browser, they’re told to pay $500 or 1.188 BTC by a certain deadline in order to get the file un-encrypted. Fail to meet the deadline? The price is then doubled.

The instructions for getting a file un-encrypted include downloading the Multibit application, purchasing Bitcoins, and then submitting the BTC address, UUID, and email address to the hacker. Once that is completed, the infected user must then upload one encrypted file to, and then paste that resulting address into a form along with the user’s UUID and email address.

“Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent,” the firm reports. “It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing ‘CryptoWall Decript Service.’ In a way, PowerWare wants the same impact as CryptoWall once had.”

For big companies, this new crypto-ransomware infection could be a big pain. As the firm points out, taxpayers are recommended to keep copies of tax return files for three years after filing them because the statute of limitations for assessment of taxes and refunds is three years as well. PowerWare is also a big headache for companies because it can map out network drives, meaning it can encrypt a huge load of files spread out across the company network.

Trend Micro recommends that consumers and companies alike backup their files on a regular basis. They should create at least three copies of one file, save them in at least two formats, and send one of those copies off-site. Of course, never open up an attachment in an email sent from an unknown source.

The new PowerWare infection’s official label is RANDOM_POWERWARE.A, and is defined here on Trend Micro’s threat encyclopedia. Other files that it encrypts include *.docx, *.xls *.mp3, *.txt, *.zip, and loads more. Naturally, several products from Trend Micro can detect PowerWare, so take a look at the instructions for removing this infection towards the bottom of the definition page.

Editors' Recommendations