Starting about a week ago, PowerWare ransomware began to propagate in email campaigns using Word documents laced with macros. PowerWare works by launching cmd.exe via macros contained within the infected Microsoft Word document. The resulting cmd.exe process in turn calls PowerShell to perform encryption of the files.
PowerWare is a “fileless” malware variant so protection technologies that rely on file signatures or static attributes of executable files have difficulty protecting against this threat. In the case of PowerWare, opening a Word document and enabling macros can lead to your files being encrypted and held for ransom by the attackers. This is decidedly bad for business!
Fortunately, Symantec Endpoint Protection (SEP) customers can use some of the granular controls contained in our product to protect against these types of threats. In particular, the Application Control feature of SEP can be used to provide much stronger controls. As such, we created an Application Control policy to protect against PowerWare and other similar malware that provides two major safeguards.
First, we prevent processes such as Microsoft Word, Excel, PowerPoint, etc. from launching cmd.exe and/or powershell.exe directly from within these applications. Preventing cmd.exe and powershell.exe from being directly launched by applications such as Microsoft Word attacks the tactics exhibited by the malware. There are extremely few, if any, valid business reasons to allow cmd.exe and powershell.exe process launch activity from within Microsoft Word and the other monitored applications. Hence, any impacts to generic end user workstations should be noted in testing and handled as exceptions.
Secondly, we prevent the monitored Microsoft applications from being able to tamper with cmd.exe or powershell.exe. This prevents future variants of the malware from simply making a copy of cmd.exe or powershell.exe and then launching the copy of those programs. While we have not seen this behavior exhibited so far, it does not require much imagination to see that this would be a technique for bypassing the previously discussed controls around process launches from within the monitored applications.
The attached Application and Device control policy contains two rules to implement the controls described above. They can be viewed after importing the attached sample policy and are shown in the illustration below.
Optionally, as an additional measure, Symantec also provides an Application Control rule set to prevent vulnerable Windows processes including Outlook, Excel, Word and others from being able to write executable files to disk. This rule set is named “Prevent vulnerable Windows processes from writing code [AC17]”. While enabling this rule set can provide a strong additional control that may prove useful in preventing endpoint compromise, it is not enabled in the sample policy.
When importing the sample policy, be sure to set the new rule sets to "Test/Log" mode and monitor the results via the SEP Manager to ensure that you do not create a negative business impact.