PowerWare Ransomware Removal Guide

Do you know what PowerWare Ransomware is?

PowerWare Ransomware is a highly malicious program that can exploit your computer’s security vulnerabilities and infect it. It has been configured to encrypt almost all files on your computer and demand that you pay a ransom for a decryption program and key needed to decrypt your files. This ransomware is set to remove itself after the encryption is complete and leave the ransom note only. We do not recommend that you pay the ransom because the cyber crooks might not hold their end of the bargain and send you the promised decryption tool and key. Please read this article if you want to know more because it contains valuable information that includes distribution methods and functions.

First of all, we want to inform you that PowerWare Ransomware is also known as PoshCoder Ransomware. The reason for it having to names is unknown, but it is important to know this fact to avoid confusion. Unfortunately, our researchers did not uncover any information regarding its developers, but they have managed to identify its distribution method that can help you avoid your computer getting infected with it if it has not already.

So our malware analysts have concluded that this particular ransomware is currently being distributed via email spam, evidently the most popular ransomware distribution method. They say that its emails can masquerade as legitimate business correspondence, receipts or invoices and the contents of the email suggest opening an attached Microsoft Word document (.docx). However, its text will appear distorted, but the document will say that you need to enable macros to fix this issue. If you enable macros in MS Word, then it will initiate the infection. Researchers say that when you open the document with macros enabled, an embedded code in it will be run through Cmd.exe which calls a PowerShell with options that will download and run PowerWare Ransomware’s main file that is supposed to be named fixed.ps1. The name may differ, but the .ps1 extension should indicate that that is indeed the malicious file. This file will delete itself from your PC once it has encrypted your files, but let us elaborate on the encryption process before we move on to removing things.PowerWare Ransomware Removal GuidePowerWare Ransomware screenshot
Scroll down for full removal instructions

Our malware analysts have obtained a sample of this infection and tested it. They found that fixed.ps1 is dropped to %TEMP%\Quest Software\PowerGUI\[36-symbol name folder]. The name of the last folder is subject to change between cases, but the number of symbols is supposed to remain unchanged. In any case, it should not be difficult to identify. When this file is in place, PowerWare Ransomware scans your computer for files of interest. Testing has shown that it will encrypt hundreds of file formats that include audio and video files, documents, images, and so on. In short, it aims to encrypt personal and valuable information for which you would be willing to pay the ransom. This ransomware uses a unique RSA-2048 and AES-128 encryption algorithms to encrypt your files, but it encrypts only the first 2048 bytes of them. Hence, the encryption is not that strong, and we are positive that it will be cracked soon, and a third-party decryption tool will be released. Furthermore, this ransomware adds the .locky extension to the end of each file name, a clear sign that the file has been encrypted.

The cyber criminals want you to pay 500 USD in Bitcoins, and if you do not pay this sum within two weeks, then the ransom is set to increase to 1000 USD. However, at the time of the research the links provided in the ransom note named _HELP_instructions.htm (that is created after the encryption is complete) do not work, so you cannot contact the cyber crooks and get the instructions on how to pay the ransom.

Therefore, since you most likely will not be able to contact them and you might not get the decryption tool and key even if you do, we recommend that you remove PowerWare Ransomware’s leftover files and try to restore as much encrypted files from backups. Also, you can wait till someone makes a free decryption tool. In any case, paying the ransom is uneconomical, and you would only fund the development of new malware.

How to delete PowerWare Ransomware files

  1. Find and delete the malicous .docx file.
  2. Then, hold down Windows+E keys.
  3. Enter %TEMP%\Quest Software\PowerGUI in the address box.
  4. Find the 36-symbol named folder end delete it.
  5. Delete the multiple _HELP_instructions.html files.
  6. Done

In non-techie terms:

PowerWare Ransomware is a dangerous infection that can enter your computer via email spam. Its purpose it to encrypt your valuable files and demand that you pay a ransom to get them back. However, there is no guarantee that you will get the promised decryption tool and key, so we suggest that you delete its leftover files since its main file deletes itself automatically and scan your PC with SpyHunter to see if your computer’s security is in good standing.