Skip to main content

The latest ransomware harasses users by encrypting tax return documents

Security firm Trend Micro reports that a new crypto-ransomware called PowerWare is now targeting tax return files created by tax filing programs, such as files with the extensions “.tax2013” or “.tax2014.” The firm says that this ransomware abuses Windows PowerShell for its infection routine, which is “uncommon” for this type of infection. But that’s not all. PowerWare is capable of encrypting other files stored on a computer too, not just tax files.

The infection begins with a malicious macro embedded within a Microsoft Word document. This document is typically spread through emails, downloaded by the target user, and opened in Microsoft Word. If macros aren’t enabled by default, the document instructs the target user to flip the feature on. Once that’s done, the macro executes a string of code in the background.

Recommended Videos

According to the code, “cmd” is used by the macro to launch an instance of Powershell.exe. A PowerWare ransomware script, written in Powershell, is then downloaded and saved in the Windows Temporary folder as “Y.ps1.” The code then loads up another Powershell instance to run the PowerWare crypto-ransomware on the machine.

The target will see the resulting encrypted file along with an HTML file named “FILES_ENCRYPTED-READ_ME.HTML.” When the user opens up the HTML file in a browser, they’re told to pay $500 or 1.188 BTC by a certain deadline in order to get the file un-encrypted. Fail to meet the deadline? The price is then doubled.

The instructions for getting a file un-encrypted include downloading the Multibit application, purchasing Bitcoins, and then submitting the BTC address, UUID, and email address to the hacker. Once that is completed, the infected user must then upload one encrypted file to Sendspace.com, and then paste that resulting address into a form along with the user’s UUID and email address.

“Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent,” the firm reports. “It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing ‘CryptoWall Decript Service.’ In a way, PowerWare wants the same impact as CryptoWall once had.”

For big companies, this new crypto-ransomware infection could be a big pain. As the firm points out, taxpayers are recommended to keep copies of tax return files for three years after filing them because the statute of limitations for assessment of taxes and refunds is three years as well. PowerWare is also a big headache for companies because it can map out network drives, meaning it can encrypt a huge load of files spread out across the company network.

Trend Micro recommends that consumers and companies alike backup their files on a regular basis. They should create at least three copies of one file, save them in at least two formats, and send one of those copies off-site. Of course, never open up an attachment in an email sent from an unknown source.

The new PowerWare infection’s official label is RANDOM_POWERWARE.A, and is defined here on Trend Micro’s threat encyclopedia. Other files that it encrypts include *.docx, *.xls *.mp3, *.txt, *.zip, and loads more. Naturally, several products from Trend Micro can detect PowerWare, so take a look at the instructions for removing this infection towards the bottom of the definition page.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The robot takeover comes another step closer — at Amazon
An Amazon robot working inside one of the company's warehouses.

Amazon is close to having more robots operating inside its warehouses than humans after the e-commerce giant announced this week that it now has more than a million robots working at its facilities around the world.

Over the years, Amazon has spent billions of dollars on the development and deployment of warehouse-based robots, which handle an array of tasks once performed by human workers.

Read more
This Lenovo ThinkPad laptop is over $1,400 off — hurry while stocks last!
The Lenovo ThinkPad T14 Gen 5 Intel laptop on a white background.

Now's an excellent time to take advantage of laptop deals from Lenovo, which has slashed the prices of a wide range of devices for its Black Friday in July sale. Lenovo's ThinkPad laptops are up to 45% off, and here's one of the most interesting offers available with such a discount — the Lenovo ThinkPad T14 Gen 5 at $1,440 off its estimated value of $3,199, so you'll only have to pay $1,759. That's an excellent price for this fantastic productivity tool, but you're going to have to push forward with your purchase as soon as possible because stocks may run out at any moment.

BUY NOW

Read more
Early Prime Day deal: Samsung’s 27-inch Odyssey G3 at its annual low price
Samsung Odyssey G3 gaming monitor on desk with keyboard and headset.

If you're ready to upgrade your monitor, this Samsung deal over at Amazon just might be your best bet. The 27-inch version of Samsung's Odyssey G3 is $130 right now, a full $100 off its regular $230 price and its lowest price of the year. It's a part of early Prime Day deals and a good sampling of what we can expect for the shopping holiday, which officially lands on July 8th. Tap the button below to see it for yourself or keep reading to see why we like this deal and why this should be your next monitor.

Buy Now

Read more