RANSOM_POWERWARE.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It gathers information and reports it to its servers.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote sites:

• http://{BLOCKED}a.in/file.php

Installation

This Trojan drops the following files:

• {folders containing encrypted files}\FILES_ENCRYPTED-READ_ME.HTML - ransom note

Other Details

This Trojan connects to the following website to send and receive information:

• http://{BLOCKED}a.in/pi.php

It encrypts files with the following extensions:

• *.docx
• *.xls
• *.pdf
• *.xlsx
• *.mp3
• *.jpeg
• *.jpg
• *.txt
• *.rtf
• *.doc
• *.rar
• *.zip
• *.psd
• *.tif
• *.wma
• *.gif
• *.bmp
• *.ppt
• *.pptx
• *.docm
• *.xlsm
• *.pps
• *.ppsx
• *.ppd
• *.eps
• *.png
• *.ace
• *.djvu
• *.tar
• *.cdr
• *.max
• *.wmv
• *.avi
• *.wav
• *.mp4
• *.pdd
• *.php
• *.aac
• *.ac3
• *.amr
• *.dwg
• *.dxf
• *.accdb
• *.mod
• *.tax2013
• *.tax2014
• *.oga
• *.ogg
• *.pbf
• *.ra
• *.raw
• *.saf
• *.wave
• *.wow
• *.wpk
• *.3g2
• *.3gp
• *.3gp2
• *.3mm
• *.amx
• *.avs
• *.bik
• *.dir
• *.divx
• *.dvx
• *.evo
• *.flv
• *.qtq
• *.tch
• *.rts
• *.rum
• *.rv
• *.scn
• *.srt
• *.stx
• *.svi
• *.swf
• *.trp
• *.vdo
• *.wm
• *.wmd
• *.wmmp
• *.wmx
• *.wvx
• *.xvid
• *.3d
• *.3d4
• *.3df8
• *.pbs
• *.adi
• *.ais
• *.amu
• *.arr
• *.bmc
• *.bmf
• *.cag
• *.cam
• *.dng
• *.ink
• *.jif
• *.jiff
• *.jpc
• *.jpf
• *.jpw
• *.mag
• *.mic
• *.mip
• *.msp
• *.nav
• *.ncd
• *.odc
• *.odi
• *.opf
• *.qif
• *.xwd
• *.abw
• *.act
• *.adt
• *.aim
• *.ans
• *.asc
• *.ase
• *.bdp
• *.bdr
• *.bib
• *.boc
• *.crd
• *.diz
• *.dot
• *.dotm
• *.dotx
• *.dvi
• *.dxe
• *.mlx
• *.err
• *.euc
• *.faq
• *.fdr
• *.fds
• *.gthr
• *.idx
• *.kwd
• *.lp2
• *.ltr
• *.man
• *.mbox
• *.msg
• *.nfo
• *.now
• *.odm
• *.oft
• *.pwi
• *.rng
• *.rtx
• *.run
• *.ssa
• *.text
• *.unx
• *.wbk
• *.wsh
• *.7z
• *.arc
• *.ari
• *.arj
• *.car
• *.cbr
• *.cbz
• *.gz
• *.gzig
• *.jgz
• *.pak
• *.pcv
• *.puz
• *.r00
• *.r01
• *.r02
• *.r03
• *.rev
• *.sdn
• *.sen
• *.sfs
• *.sfx
• *.sh
• *.shar
• *.shr
• *.sqx
• *.tbz2
• *.tg
• *.tlz
• *.vsi
• *.wad
• *.war
• *.xpi
• *.z02
• *.z04
• *.zap
• *.zipx
• *.zoo
• *.ipa
• *.isu
• *.jar
• *.js
• *.udf
• *.adr
• *.ap
• *.aro
• *.asa
• *.ascx
• *.ashx
• *.asmx
• *.asp
• *.indd
• *.asr
• *.qbb
• *.bml
• *.cer
• *.cms
• *.crt
• *.dap
• *.htm
• *.moz
• *.svr
• *.url
• *.wdgt
• *.abk
• *.bic
• *.big
• *.blp
• *.bsp
• *.cgf
• *.chk
• *.col
• *.cty
• *.dem
• *.elf
• *.ff
• *.gam
• *.grf
• *.h3m
• *.h4r
• *.iwd
• *.ldb
• *.lgp
• *.lvl
• *.map
• *.md3
• *.mdl
• *.mm6
• *.mm7
• *.mm8
• *.nds
• *.pbp
• *.ppf
• *.pwf
• *.pxp
• *.sad
• *.sav
• *.scm
• *.scx
• *.sdt
• *.spr
• *.sud
• *.uax
• *.umx
• *.unr
• *.uop
• *.usa
• *.usx
• *.ut2
• *.ut3
• *.utc
• *.utx
• *.uvx
• *.uxx
• *.vmf
• *.vtf
• *.w3g
• *.w3x
• *.wtd
• *.wtf
• *.ccd
• *.cd
• *.cso
• *.disk
• *.dmg
• *.dvd
• *.fcd
• *.flp
• *.img
• *.iso
• *.isz
• *.md0
• *.md1
• *.md2
• *.mdf
• *.mds
• *.nrg
• *.nri
• *.vcd
• *.vhd
• *.snp
• *.bkf
• *.ade
• *.adpb
• *.dic
• *.cch
• *.ctt
• *.dal
• *.ddc
• *.ddcx
• *.dex
• *.dif
• *.dii
• *.itdb
• *.itl
• *.kmz
• *.lcd
• *.lcf
• *.mbx
• *.mdn
• *.odf
• *.odp
• *.ods
• *.pab
• *.pkb
• *.pkh
• *.pot
• *.potx
• *.pptm
• *.psa
• *.qdf
• *.qel
• *.rgn
• *.rrt
• *.rsw
• *.rte
• *.sdb
• *.sdc
• *.sds
• *.sql
• *.stt
• *.t01
• *.t03
• *.t05
• *.tcx
• *.thmx
• *.txd
• *.txf
• *.upoi
• *.vmt
• *.wks
• *.wmdb
• *.xl
• *.xlc
• *.xlr
• *.xlsb
• *.xltx
• *.ltm
• *.xlwx
• *.mcd
• *.cap
• *.cc
• *.cod
• *.cp
• *.cpp
• *.cs
• *.csi
• *.dcp
• *.dcu
• *.dev
• *.dob
• *.dox
• *.dpk
• *.dpl
• *.dpr
• *.dsk
• *.dsp
• *.eql
• *.ex
• *.f90
• *.fla
• *.for
• *.fpp
• *.jav
• *.java
• *.lbi
• *.owl
• *.pl
• *.plc
• *.pli
• *.pm
• *.res
• *.rsrc
• *.so
• *.swd
• *.tpu
• *.tpx
• *.tu
• *.tur
• *.vc
• *.yab
• *.8ba
• *.8bc
• *.8be
• *.8bf
• *.8bi8
• *.bi8
• *.8bl
• *.8bs
• *.8bx
• *.8by
• *.8li
• *.aip
• *.amxx
• *.ape
• *.api
• *.mxp
• *.oxt
• *.qpx
• *.qtr
• *.xla
• *.xlam
• *.xll
• *.xlv
• *.xpt
• *.cfg
• *.cwf
• *.dbb
• *.slt
• *.bp2
• *.bp3
• *.bpl
• *.clr
• *.dbx
• *.jc
• *.potm
• *.ppsm
• *.prc
• *.prt
• *.shw
• *.std
• *.ver
• *.wpl
• *.xlm
• *.yps
• *.md3
• *.1cd

It gathers the following information and reports it to its servers:

• UUID (unique identifier)
• Rijndael Key

NOTES:

This ransomware uses Rijndael for file encryption. It deletes itself after encrypting all files. The dropped ransom note asks the user to access the payment site via TOR browser:

The webpage contains the following payment instructions:

It is also capable of letting users to test the decryption for one file: