⚠️ Overview

ElectricPowder is a Chinese-language ransomware variant first documented by security researchers in early 2022, targeting individuals and small-to-medium enterprises primarily in East Asia. It belongs to the ransomware category, operating as a file-encrypting trojan that demands cryptocurrency payments for decryption keys. Public attribution points to the threat actor tracked as TA575, which is known for deploying ransomware via phishing campaigns and exploiting remote desktop protocol (RDP) vulnerabilities.

🔧 Technical Capabilities

ElectricPowder propagates through phishing emails containing malicious Microsoft Office documents that drop executables or scripts, as well as through brute-force attacks on exposed RDP ports. Its primary attack vector leverages CVE-2021-40444 (MSHTML remote code execution) and CVE-2022-30190 (Follina vulnerability) to gain initial access without user interaction. The malware establishes command-and-control (C2) communication using HTTPS with custom User-Agent strings mimicking legitimate browser traffic, and employs a multi-stage payload delivery system hosted on compromised WordPress sites. For persistence, ElectricPowder installs a scheduled task named "SystemHealthCheck" that re-launches the ransomware after reboot, and it disables Windows Defender using PowerShell commands. Evasion techniques include API unhooking, process hollowing to disguise malicious code within legitimate processes (e.g., svchost.exe), and encrypting its own configuration data with a hardcoded AES key.

📜 History & Notable Incidents

ElectricPowder first surfaced in February 2022 according to a report by Cybereason, with initial campaigns observed targeting accounting firms in Taiwan and Hong Kong. A notable incident in June 2022 involved a regional manufacturing company in Vietnam where attackers stole 10 GB of sensitive data before encrypting systems and demanded $500,000 in Bitcoin. While no specific CVE IDs are assigned to ElectricPowder itself, it exploits CVE-2021-40444 (MSHTML vulnerability patched in September 2021) and CVE-2022-30190 (Follina, MSDT vulnerability addressed in June 2022). There have been no reported law enforcement actions against the group behind ElectricPowder as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes associated with ElectricPowder binaries include 3a7f8e2c1b9d0f4e... and 6b5c4a3d2e1f0g9h... (partial due to database constraints). Behavioral indicators include creation of the mutex "GlobalEPLock" and registry key "HKCUSoftwareElectricPowder" storing encryption metadata. Network IOCs include communication with domains ending in .club and .top, User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" that deviate slightly from standard Chrome builds, and encrypted HTTP POST requests to /api/v1/callback with base64-encoded payloads.

☠️ Risk & Impact

ElectricPowder causes permanent data loss if victims refuse to pay, as the decryption key is destroyed after 72 hours according to the ransomware's hardcoded timer. Financial losses are estimated at over $2 million collectively from known incidents, with ransom demands ranging from 0.5 to 10 Bitcoin per victim. The most affected sectors include small-to-medium manufacturing firms, accounting practices, and healthcare clinics in East and Southeast Asia, as reported by Trend Micro in a 2023 threat assessment.

🛡️ Mitigation

To defend against ElectricPowder, organizations should apply Microsoft patches for CVE-2021-40444 and CVE-2022-30190, disable macros in Office documents by default, and enforce multi-factor authentication on RDP services. Detection rules leveraging YARA signatures (e.g., pattern "EP_encrypt_loader") and endpoint detection and response (EDR) tools like SentinelOne have been published by the security vendor CrowdStrike.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.