Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files

by Anthony Melgarejo and Rhena Inocencio

As we are certain about some aspects of life, the same can be said about cybercrime. Tax Day draws closer in the U.S., and as millions of Americans are in the process of filing their taxes, cybercriminals are also stepping in to make this task profitable for them and difficult for their victims. We have seen recent incidents of organizations falling for business email compromise (BEC) schemes related to tax filing; now, it looks like online extortionists have joined the fray as well.

PowerWare (detected by Trend Micro as RANSOM_POWERWARE.A) is a new crypto-ransomware that abuses Windows PowerShell for its infection routine. However, apart from encrypting files commonly targeted by ransomware, PoweWare also targets tax return files created by tax filing programs (for example, files with .tax2013 and .tax2014 extensions). For users and organizations, losing current and previous years’ records can be a hassle, sometimes costly; in the U.S., for example, it is recommended that taxpayers keep the records of their tax returns for about of three (3) years after filing them because the statute of limitations for assessment of taxes and refunds runs for that same time period.

It is also worth noting that while ransomware that target specific tax-related files have been seen before, PowerWare’s technique using macro and PoweShell is quite uncommon.

Figure 1. Spam confuses users with “Invoice” as subject and “Financial Manager” as the sender

The infection starts when targets open a Microsoft Word document with an embedded malicious macro. This document is spread via emails, which is a common way to deliver crypto-ransomware.

The document instructs the victim to enable the macros. Once they are enabled, the malicious macro executes the following codes:

powerware_downloader-content

Figure 2. Word document instructing users to enabled macros

powerware_downloader-code

Figure 3. Snippet of the code that calls Powershell

As seen in the codes above, the macro uses cmd to execute an instance of Powershell.exe. This instance then connects to a website to download the PowerWare ransomware script (also written in Powershell) and save it as in the Windows Temporary folder as Y.ps1. The code then executes another Powershell instance to run PowerWare.

As mentioned earlier, PowerWare encrypts .tax2013 and .tax2014 extension files, among others, before self-destructing. It also drops an HTML file named “FILES_ENCRYPTED-READ_ME.HTML” in each folder with an encrypted file, detailing how an affected user can get their files back.

The attackers demand US$500 or 1.188 BTC and double that if the victim fails to pay before their deadline.

Figure 4. HTML page explaining the situation to the victim

Figure 5. Ransomware payment procedures

Figure 6. Ransom payment confirmation

Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent. It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing “CryptoWall Decript Service.” In a way, PowerWare wants the same impact as CryptoWall once had.

PowerWare also has the ability to map out network drives and enumerate all logical drives, making it a major threat to big companies with little or no experience in handling threats such as crypto-ransomware.

How to be ransomware-free this tax season

Knowledge of such threats serves as a user’s front line defense versus ransomware. Creating sufficient and regularly scheduled backups also help mitigate damage by ransomware. We also encourage users to implement the 3-2-1 rule for backing up their files:

At least three copies,
In two different formats,
with one of those copies off-site.

Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from this threat by detecting malicious files, and email messages before a user gets infected. They are also capable of blocking all related malicious URLs.

SHA1s for related files: