Wednesday, February 17, 2016

New Ransomware Hidden in Word Docs: New “Locky” Ransomware Is Loaded with Professional Grade Malware

Recent reports indicate that the actors behind Dridex, originally a banking Trojan distributor, have switched tactics, and are now heavily pushing out a new ransomware called Locky. The current method of distribution is via a spam email, which contains a Word document. Additional reports state that it is being distributed via the Neutrino Exploit Kit.

KnowBe4 issued a warning to its customers today of a vicious new strain of ransomware disguised within Word documents. This new ransomware strain, called "Locky," is professional grade malware and starts out with an email and a Microsoft Word attachment containing malicious macros, making it hard to filter out. Few antivirus products are catching it. Social engineering is used twice to trick users into opening the attachment and again to enable the macros in the Word file. When the Word document is opened, it looks like the content of the document is scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.

According to KnowBe4’s CEO Stu Sjouwerman, “Once a victim enables the macros, they download an executable from a remote server in the %Temp% folder and execute it. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.”

The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice." This new strain was first reported in the UK by Kevin Baumont, and Larry Abrahms at BleepingComputer did a more in-depth analysis.  

According to Abrams, "It targets a large amount of file extensions and even more importantly, encrypts data on unmapped network shares.  Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm. Like CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data."

Dodi Glenn, VP of Cyber Security at PC Pitstop says, “If an individual opens the spam email, ignores the macro Word alert and clicks "enabled content, Locky will immediately scan the system for specific files, and encrypt or modify them so they can no longer be used - that is, unless a ransom is paid, which Locky’s current amount is .5 BTC, or the equivalent of $209.33. These file types are commonly found on end users’ machines, such as .doc, .csv, .pdf, .jpg, etc. However, what should be more concerning to enterprise customers is that it will also look for .SQL, .SQLiteDB, and .SQLite3 files, which are associated with databases.  The transaction is all too familiar for many of the other types of ransomware out there. PC Matic users should know that this malware is blocked, and cannot be executed on machines protected with Super Shield.”

Sjouwerman noted, “The old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering. If you trust antivirus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”

KnowBe4 advises the following steps be taken:

1. Go hunt for this Group Policy Setting in the Trust Center, and set it to “Disable all except digitally signed macros”.
2. Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
3. Set your shared folder location URL in here, e.g. \\blah.local\public\office   (More detail can be found at Microsoft Technet.)
4. Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents. If Mr. Bad Guy emails Joe in Accounts Payable a Bad File, the macro won’t run.”

Users won’t see a prompt to enable the macro, nor can they from the Office options.

Sjouwerman added, “Technically speaking, your users are the new DMZ, and you need to create a human firewall. Effective security awareness training is a must these days.”