Threat Database Ransomware Povlsomware Ransomware

Povlsomware Ransomware

The Povlsomware Ransomware is a file-locking Trojan whose campaign has connections with a variant of Cobalt Strike's threat emulation software – equivalent to a backdoor Trojan. The Povlsomware Ransomware can lock the user's files from opening by encrypting them and creates a pop-up alert that recommends contacting an e-mail address. Windows users can protect their work with offsite backups and let compatible anti-malware utilities remove the Povlsomware Ransomware with all related threats.

WannaCryptor Ransomware's Legacy Revived in a New Trojan

Threat actors are fond of taking others' publicity for themselves, even when it comes to fellow hackers and other Black Hat entities. The trend even goes so far as copying the visuals of old Trojans to paste onto new ones, like the Povlsomware Ransomware being a copy of the much-older WannaCryptor Ransomware (AKA 'WannaCry'). This threat's development is, belying its appearance, entirely new.

The Povlsomware Ransomware is a .NET Framework Trojan that malware researchers see targeting 64-bit Windows environments primarily. Its installation method abuses Cobalt Strike – a hacker-emulating utility that threat actors sometimes convert into the equivalent of a backdoor Trojan. After gaining system access, Cobalt Strike may ferry files and data back and forth and implement system commands, such as installing the Povlsomware Ransomware onto the helpless PC.

The Povlsomware Ransomware encrypts files such as JPG pictures and other media so that they can't open, although it ditches the typical practice of also adding extensions. As a substitute, it displays a list of the locked files in its ransom note, an HTA pop-up window. The window includes no ransoming details besides an address for contacting the attacker and, presumably, paying for the data's unlocking.

Containing the Imitations of Old Server Predators

The Povlsomware Ransomware isn't a direct successor of the Trojan that it imitates but remains threatening sufficiently to any users without backups of their files in protected locations. The misuse of Cobalt Strike software is hardly unique to the Povlsomware Ransomware; similar campaigns include Rocke Cryptojacking and some BazarBackdoor deployments. Accordingly, a Povlsomware Ransomware infection implies at least the possibility of other security issues, and malware experts recommend that users isolate affected devices from the Internet and other computers.

Server administrators should mind the usual vulnerability points, such as weak passwords, out-of-date software and insecure RDP settings. Home users and workers also should avoid opening suspicious e-mail attachments macro-bearing documents or spreadsheets, especially. Critically, users without backups on other systems have few to no recovery avenues for any files that the Povlsomware Ransomware blocks with its encryption routine.

Most anti-malware services should flag and quarantine any Cobalt Strike variants or the Povlsomware Ransomware as threats. Home users should avoid uninstalling the Povlsomware Ransomware manually in all but dire situations due to the Trojan's hiding components in Windows locations that can cause further harm under inappropriate edits.

The long-lasting splash of the WannaCry campaign has a new chorus in the Povlsomware Ransomware, but money is likely on its mind, the same as usual. Users who can't keep their files under lock and key can expect their digital pockets picked – whether it's by the Povlsomware Ransomware or another imitator to the throne.


Most Viewed