We've previously covered how Hollywood Presbyterian Medical Center fell victim to a ransomware attack in February. To get their network back online, management decided their best option was to pay the ransom: $17,000 in bitcoin.
As you might expect, paying a ransom only enables the behavior. As we would see in March, ransomware attacks in healthcare increased sharply.
Of particular note is a new type of ransomware making the rounds in healthcare networks, PowerWare.
PowerWare: New Ransomware written in PowerShell
PowerWare was discovered a week ago by security researchers at Carbon Black. The bad guys behind PowerWare are spreading it via email by attaching a Word document claiming to be an invoice. The attackers then use one of the oldest tricks in the books: They request the user to enable macros to correctly view the fake invoice. Once enabled, the macros launch PowerShell, the native Windows framework that uses a command-line shell to perform nefarious tasks. The use of PowerShell allows the ransomware to avoid writing files to disk and thus makes threat detection quite difficult. It also allows the ransomware to encrypt files on the victim’s PC. Once a victim's files are encrypted, the latest versions of PowerWare actually increase the ransom amount with each passing week.
PowerWare Prevention: Looking Ahead
So what can be done to combat PowerWare? As it turns out, macros are still widely used in legitimate MS Word and Excel spreadsheets. Simply barring any email attachments that contain macros may seem draconian in 2016, but it may turn out to be best solution. As we've seen with .exe, .bat, and .scr file extensions, end users eventually come to terms that sending those types of files via email just isn't supported. We may be seeing the beginnings of that with office docs containing macros.