As we are certain about some aspects of life, the same can be said about cybercrime. Tax Day draws closer in the U.S., and as millions of Americans are in the process of filing their taxes, cybercriminals are also stepping in to make this task profitable for them and difficult for their victims. We have seen recent incidents of organizations
falling for business email compromise (BEC) schemes related to tax filing; now, it looks like online extortionists have joined the fray as well.
PowerWare (detected by Trend Micro as
RANSOM_POWERWARE.A) is a new crypto-ransomware that abuses Windows PowerShell for its infection routine. However, apart from encrypting files commonly targeted by ransomware, PowerWare also targets tax return files created by tax filing programs (for example, files with
.tax2013 and
.tax2014 extensions). For users and organizations, losing current and previous years’ records can be a hassle, sometimes costly; in the U.S., for example, it is recommended that taxpayers keep the records of their tax returns for about of three (3) years after filing them because the statute of limitations for assessment of taxes and refunds runs for that same time period.
It is also worth noting that while ransomware that target specific tax-related files
have been seen before, PowerWare’s technique using macro and PowerShell is quite uncommon.
