Ransomware isn’t a new type of attack, but malware writers have created a new form of it that has been wreaking havoc on user data. The malware is spread through email using spoofed headers and an attached document containing a malicious macro that drops a Trojan, which then downloads malicious ransomware.
The virus is so new that it doesn’t even have a name yet. It’s referred to as the “Microsoft Word Macro Malware Virus.” What’s also disturbing is that it’s been bypassing email filters. Zero-day viruses that haven’t been seen in the wild can often bypass all kinds of security software including antivirus, anti-malware and email filters.
By default, Microsoft Word disables macros since it’s been a common way to spread viruses, Trojans and worms. However, the user can be prompted to enable macros when they need them. When the attached Word document is opened, it prompts the user to enable macros to see the document’s content. As long as the macro is blocked, the user is safe, but most users turn on macros thinking the content behind them is necessary.
Once the macro is enabled, the Trojan is dropped on the computer which then allows the ransomware download. The ransomware encrypts various files and alerts the user. The user is told that he must pay the ransom or he will not receive the key to unlock files.
This news comes after a recent attack on Hollywood Presbyterian Medical Center, which was also a victim of ransomware. The hospital was recently forced to use pen and paper for transactions as the FBI and local law enforcement researched into the attack. It’s rumored that the attackers are asking for 9,000 bitcoins (approximately $3.6 million) in exchange for the key. The hospital’s network and its millions of records are at risk from being completely unusable.
The malware downloaded is called “Locky”. Researchers have indicated that this ransomware attack has a bit of a weak spot in its method of encryption and infection. It uses in-memory commands to conduct a key exchange, which could be the key to stopping the malware and protecting user computers. However, no antimalware software has been created to protect systems yet.
The best approach to this type of attack is email filters as ransomware prevention. The first flag is that the “from” address is spoofed, which should be picked up by email filtering systems. The attached document should also be scanned for malware and blocked when detected. Since the email contains a .doc file attachment, it is a format that most users trust and immediately open without hesitation.
If you think your network has been infected, it’s suggested that the user’s network account be locked and network access blocked to avoid spreading throughout the organization.