Three new ransomware variants reported

New versions of ransomware are increasingly hitting headlines — or, perhaps, they’re just being detected quicker by vendors and security researchers. In the past few days three more warnings were issued that CISOs should pay attention to:

–On Friday, Trend Micro said it has come across a new version it calls Ransom_Petya.A,  which is delivered as a resume to victims not as an attachment — as is usual — but with a link for retrieval from Dropbox. Of course, it can also be left on any cloud storage or sent by email.

Petya overwrites the master boot record (MBR)  and causes Windows to crash and display a blue screen, reports Trend Micro. If the user try to reboot he/she will get ASCII-designed skull and a demand for a certain amount of bitcoins. The edited MBR also disallows restarting in Safe Mode.

–Also on Friday researchers at Carbon Black said they have found a new family of ransomware, which they dubbed “PowerWare,” that targets organizations via Microsoft Word and the PowerShell scripting language.

PowerWare is delivered by a macro-enabled Microsoft Word document, such as an invoice. The Word document then uses macros to spawn “cmd.exe,” which in turn calls PowerShell with options that will download and run the malicious “PowerWare” code. In an interesting twist, add researchers,  PowerWare initially asks for a US$500 ransom, which increases to US$1,000 after two weeks.

Security teams that  have a full capture packet solution may be able to catch the attack. When the malware phones home it uses a plain-text protocol, making traffic easily observed. All the team needs to do is identify the right domain and IP info from network traffic to retrieve the encryption key.

–Finally, on March 25, Cisco Systems’ Talos security team reported widespread campaign leveraging a variant of the Samas/Samsam/MSIL.B/C ransomware. Unlike most ransomware, Cisco says, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits., but by compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.

A particular focus of this attack appears to be the healthcare industry, Cisco adds.

This news comes as Tripwire released a survey of attendees at the recent RSA Conference in San Francisco. When asked if their company could recover from a ransomware infection without losing critical data, only 38 per cent of respondents said they were “very confident” they could do so.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now