Threat Database Ransomware Power Worm Ransomware

Power Worm Ransomware

By GoldSparrow in Ransomware

The Power Worm Ransomware is a ransomware infection that is designed to encrypt the data stored on a computer, holding it hostage until the victim pays a ransom. Unfortunately, a bug in the Power Worm Ransomware's programming has resulted in a ransomware threat that destroys data instead of encrypting it. The most recent version of the Power Worm Ransomware encrypts the victim's data and then delete the AES encryption key, instead of transferring it to a third-party. Because of this, the encrypted files become impossible to recover, even if the victim pays the ransom. PC security analysts advise computer users against paying the Power Worm Ransomware's ransom. Even though computer users should avoid paying any ransomware amount, the Power Worm Ransomware is especially egregious because it will not allow computer users to recover their data.

The Flaw When Coding the Power Worm Ransomware

Most ransomware threats will allow computer users to recover their data after it has been encrypted. The Power Worm Ransomware becomes additionally threatening because the Power Worm Ransomware prevents computer users from recovering their data, due to the bug in its programming. The Power Worm Ransomware has a flaw in the way it initializes the encryption engine. The original intent of the Power Worm Ransomware was to use a static AES encryption key for all targeted computers. This would mean that all computer users would be able to recover their data using the same decryption key. This would give the developers of the Power Worm Ransomware the advantage of avoid setting up a payment website and system or having to deal with any kind of decryption engine. Unfortunately, the developers of the Power Worm Ransomware did not pad the AES key properly when it is converted to a Base64 string. This means that when a script tries to decode the string, it fails, delivering an empty value instead of the variable that would contain the decoded AES string. A missing character in the string is the main reason for the Power Worm Ransomware's bug. The fact that the random key is not saved or decrypted means that the victim's data is destroyed essentially. This points to the fact that the developers of the Power Worm Ransomware did not test Power Worm Ransomware properly, destroying any chance of computer users recovering their files.

The Attack and Infection Process of the Power Worm Ransomware

The Power Worm Ransomware is a Powershell script that is quite compact, comprised of only 54 layers. When the Power Worm Ransomware is executed, it deletes all Shadow Volume copies of files on the victim's computer (to prevent computer users from using Shadow Copies to restore their files). Then, the Power Worm Ransomware detects all drives on the victim's computer and scans those drives for files that match a list of extensions. The extensions targeted by Power Worm Ransomware are:

*.pdf,*.xls,*.docx,*.xlsx,*.mp3,*.waw,*.jpg,*.jpeg,*.txt,*.rtf,*.doc,*.rar,*.zip,*.psd,*.tif,
*.wma,*.gif,*.bmp,*.ppt,*.pptx,*.docm,*.xlsm,*.pps,*.ppsx,*.ppd,*.eps,*.png,*.ace,*.djvu,*.tar,*.cdr,*.max,
*.wmv,*.avi,*.wav,*.mp4,*.pdd,*.php,*.aac,*.ac3,*.amf,*.amr,*.dwg,*.dxf,*.accdb,*.mod,
*.tax2013,*.tax2014,*.oga,*.ogg,*.pbf,*.ra,*.raw,*.saf,*.val,*.wave,*.wow,*.wpk,*.3g2,*.3gp,*.3gp2,
*.3mm,*.amx,*.avs,*.bik,*.dir,*.divx,*.dvx,*.evo,*.flv,*.qtq,*.tch,*.rts,*.rum,*.rv,*.scn,*.srt,
*.stx,*.svi,*.swf,*.trp,*.vdo,*.wm,*.wmd,*.wmmp,*.wmx,*.wvx,*.xvid,*.3d,*.3d4,*.3df8,*.pbs,*.adi,
*.ais,*.amu,*.arr,*.bmc,*.bmf,*.cag,*.cam,*.dng,*.ink,*.jif,*.jiff,*.jpc,*.jpf,*.jpw,*.mag,*.mic,
*.mip,*.msp,*.nav,*.ncd,*.odc,*.odi,*.opf,*.qif,*.xwd,*.abw,*.act,*.adt,*.aim,*.ans,*.asc,*.ase,
*.bdp,*.bdr,*.bib,*.boc,*.crd,*.diz,*.dot,*.dotm,*.dotx,*.dvi,*.dxe,*.mlx,*.err,*.euc,*.faq,*.fdr,
*.fds,*.gthr,*.idx,*.kwd,*.lp2,*.ltr,*.man,*.mbox,*.msg,*.nfo,*.now,*.odm,*.oft,*.pwi,*.rng,*.rtx,
*.run,*.ssa,*.text,*.unx,*.wbk,*.wsh,*.7z,*.arc,*.ari,*.arj,*.car,*.cbr,*.cbz,*.gz,*.gzig,*.jgz,
*.pak,*.pcv,*.puz,*.r00,*.r01,*.r02,*.r03,*.rev,*.sdn,*.sen,*.sfs,*.sfx,*.sh,*.shar,*.shr,*.sqx,
*.tbz2,*.tg,*.tlz,*.vsi,*.wad,*.war,*.xpi,*.z02,*.z04,*.zap,*.zipx,*.zoo,*.ipa,*.isu,*.jar,*.js,
*.udf,*.adr,*.ap,*.aro,*.asa,*.ascx,*.ashx,*.asmx,*.asp,*.indd,*.asr,*.qbb,*.bml,*.cer,*.cms,*.crt,
*.dap,*.htm,*.moz,*.svr,*.url,*.wdgt,*.abk,*.bic,*.big,*.blp,*.bsp,*.cgf,*.chk,*.col,*.cty,*.dem,
*.elf,*.ff,*.gam,*.grf,*.h3m,*.h4r,*.iwd,*.ldb,*.lgp,*.lvl,*.map,*.md3,*.mdl,*.mm6,*.mm7,
*.mm8,*.nds,*.pbp,*.ppf,*.pwf,*.pxp,*.sad,*.sav,*.scm,*.scx,*.sdt,*.spr,*.sud,*.uax,*.umx,*.unr,*.uop,*.usa,
*.usx,*.ut2,*.ut3,*.utc,*.utx,*.uvx,*.uxx,*.vmf,*.vtf,*.w3g,*.w3x,*.wtd,*.wtf,*.ccd,*.cd,*.cso,
*.disk,*.dmg,*.dvd,*.fcd,*.flp,*.img,*.iso,*.isz,*.md0,*.md1,*.md2,*.mdf,*.mds,*.nrg,*.nri,*.vcd,
*.vhd,*.snp,*.bkf,*.ade,*.adpb,*.dic,*.cch,*.ctt,*.dal,*.ddc,*.ddcx,*.dex,*.dif,*.dii,*.itdb,*.itl,
*.kmz,*.lcd,*.lcf,*.mbx,*.mdn,*.odf,*.odp,*.ods,*.pab,*.pkb,*.pkh,*.pot,*.potx,*.pptm,*.psa,*.qdf,
*.qel,*.rgn,*.rrt,*.rsw,*.rte,*.sdb,*.sdc,*.sds,*.sql,*.stt,*.t01,*.t03,*.t05,*.tcx,*.thmx,*.txd,
*.txf,*.upoi,*.vmt,*.wks,*.wmdb,*.xl,*.xlc,*.xlr,*.xlsb,*.xltx,*.ltm,*.xlwx,*.mcd,*.cap,*.cc,*.cod,
*.cp,*.cpp,*.cs,*.csi,*.dcp,*.dcu,*.dev,*.dob,*.dox,*.dpk,*.dpl,*.dpr,*.dsk,*.dsp,*.eql,*.ex,*.f90,
*.fla,*.for,*.fpp,*.jav,*.java,*.lbi,*.owl,*.pl,*.plc,*.pli,*.pm,*.res,*.rsrc,*.so,*.swd,
*.tpu,*.tpx,*.tu,*.tur,*.vc,*.yab,*.8ba,*.8bc,*.8be,*.8bf,*.8bi8,*.bi8,*.8bl,*.8bs,*.8bx,*.8by,*.8li,*.aip,
*.amxx,*.ape,*.api,*.mxp,*.oxt,*.qpx,*.qtr,*.xla,*.xlam,*.xll,*.xlv,*.xpt,*.cfg,*.cwf,*.dbb,*.slt,
*.bp2,*.bp3,*.bpl,*.clr,*.dbx,*.jc,*.potm,*.ppsm,*.prc,*.prt,*.shw,*.std,*.ver,*.wpl,*.xlm,*.yps,
*.md3,*.1cd

Unfortunately, the Power Worm Ransomware does not save the AES decryption key after the files are encrypted, essentially rendering them unrecoverable. Apart from encrypting files, the Power Worm Ransomware will create an HTML file for each encrypted file, called DECRYPT_INSTRUCTION.html. This is a ransom note that is identical to other popular ransomware infections. The Power Worm Ransomware, however, includes a unique fake ID for the victim and links to payment sites on TOR. Unlike other ransomware threats, there is no way to recover the data encrypted by the Power Worm Ransomware, even if one pays the ransom. Because of this, computer users should refrain from making any payment.

How to Deal with a Power Worm Ransomware Infection

The best protection against threats such as the Power Worm Ransomware is the use of a reliable security application and being smart when browsing the Web. The entire Power Worm Ransomware attack can be rendered ineffectual if computer users take the time to backup all of their important data on an external drive or the Cloud, allowing them to restore their files after they have been encrypted.

Related Posts

Trending

Most Viewed

Loading...