About PowerWare; Ransomware in Word Documents

3 icons - blocked access, lock, dollar sign

Does your team use Microsoft Word? Most teams do. Is your team highly skilled in spotting and avoiding Ransomware? Most teams are not. Here is what you need to know about PowerWare – a new ransomware in Word documents.

PowerWare is a recently discovered threat that exploits Windows Operating Systems using PowerShell.

PowerShell is essentially a more powerful version of ‘Command Prompt’ also found in Windows or similar to ‘Terminal’ found in Mac Operating Systems.

PowerWare Ransomware uses the PowerShell utility to install ransomware on your computers.

What sets PowerWare apart from other Ransomware is this: most ransomware threats are in the form of an executable program which is installed on to your computer. Most advanced antivirus and web filtering programs can catch these threats. What makes PowerWare so dangerous and effective, is that it does not instal an executable program, but instead uses the Power Shell utility built into your Windows operating system to deliver its malicious code. Presently, most antivirus cannot detect this threat.

What does PowerWare do to my computer?

As previously mentioned PowerWare is a ransomware in Word documents, or rather, it is transferred in Word docs and enabled by macros available in Microsoft Word.  Macros are small bits of code that allow Microsoft Word to run automated tasks.

PowerWare uses Word’s macros to embed itself within the document. When you open an infected Word document, the macro in the Word document is enabled and calls calls upon your computer’s version of ‘Command Prompt’ to open PowerShell and allow malicious code to encrypt your data, locking you out of your files, until a ransom is paid to receive a decryption key to unlock your files.

How can I prevent PowerWare from taking control of my files?

The simple answer would be to disable macros in all Microsoft Office products. Unfortunately, in the real world environment and small business landscape this is not recommended, as there are many uses and benefits of macros. Completely disabling can impede productivity.

[thrive_highlight highlight=’default’ text=’light’]Presently, the industry guideline for dealing with this type of ransomware is to block its ability to call upon Command Prompt and PowerShell.[/thrive_highlight]

To do this, users can set a rule that blocks Word (winword.exe) from launching Command Prompt (cmd.exe).

It’s also recommended to use this rule to block browsers such as Chrome, Internet Explorer and Firefox along with other Microsoft Office products such as Excel (excel.exe), PowerPoint (powerpnt.exe) and Outlook (outlook.exe) from launching Command Prompt. You can find instructions to disable command prompt here.

You can also put the request in for your IT provider to do this for you.

IT Support Services in Toronto ON

If you don’t have an IT provider, we would be happy to help. We are TUCU, a Toronto IT Support Company for small business and non profit teams.  We’ve been solving IT problems since 2003.