PowerWare ransomware variant poses as Locky, but can be decrypted

The ransomware PowerWare that commandeers Microsoft's PowerShell utility to download and run malicious code, now has a variant that mirrors Locky ransomware. 

According to Palo Alto Networks, whose Unit 42 threat research team made the recent discovery, the variant attaches a .locky filename extension on files it encrypts to sell the notion that Locky is behind the attack. It also writes an HTML-based ransom note with directions borrowing the exact wording found in Locky's note. Furthermore, it provides a website that includes Bitcoin payment instructions that refer to a Locky decryptor. 

Despite efforts to imitate Locky, PowerWare (aka PoshCoder) cannot mask the fact that its encryption can currently be broken, due to use of a hardcoded key during its AES 128 encryption process, Palo Alto explains in a blog post. Indeed, the research firm has written a free Python script that decrypts PowerWare's .locky files.