Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware.
Dubbed PowerWare by the researchers, the malware adds the “.locky” filename extension on encrypted files, the same ransom note as Locky, and its payment/ decryption page also mentioned the infamous ransomware. It targets and encrypts an exceptionally wide variety of files.
PoshCoder is a malware family that has been around since 2014, while the variant mimicking Locky is a bit more recent. Before than, PoshCoder was known for impersonating CryptoWall and TeslaCrypt – the leading ransomware families in their time.
To encrypt the files, PowerWare uses AES-128 encryption with a hard-coded key. Also, it only encrypts the first 2048 bytes of the targeted files.
It seems obvious that the authors of PoshCoder/ PowerWare are not that skilled when it comes to implementing encryption, and are trying to pass off their malware as those more formidable pieces of ransomware.
The poor encyption scheme has allowed researcher Josh Grunzweig to create the decrypter but, unfortunately, he has currently provided it to victims in the form of a Python script, and most users won’t know how to run it.
They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.