MS Word Ransomware
Over 400,000 workstations were infected within a few hours of it being released.
24 hours after being released, only 3 very specialized AntiVirus detected the ransomware.
Now, most major AntiVirus products now detect the ransomware
…but only if the user is updating their AntiVirus.
It was only a matter of time before some CyberCriminal figured out how to insert ransomware into a MS Word document.
Some professional CyberCriminal finally did it.
The new ransomware called “Locky”, was first reported in the UK by Kevin Baumont, is causing major headaches for companies all over the globe, and have been received by companies in Canada, and even here in Manitoba.
Emails contain the subject line “ATTN: Invoice J-98223146”, and a message like “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice”, or something similar. The email looks similar to the one below:
When opened, the attachment is a MicroSoft Word document that looks like the content of the document is scrambled. The document will display a message stating that you should enable the macros if the text is unreadable. The attachment will look similar to this:
Once the victim enables the macros, the macros downloads an executable file from a remote server. This file will be stored in the “%Temp%” folder and, when executed, will encrypt the files on the workstation, then both mapped and unmapped network drives.
Once this has happened, you receive the message below:
Similar to CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data. At this time, there is no known way to decrypt files encrypted by Locky.
How to Defend Yourself:
Have your I.T. person hunt for this Group Policy Setting, and set it to “Disable all except digitally signed macros”.
Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Set your shared folder location URL in here, e.g. //blah.local/public/office
More details at Microsoft Tehnet here.
The user won’t see a prompt to enable the macro, nor can they from the Office options.
There is a still a small risk that the user will save the malicious email attachment to the network and open it. However, it is a much smaller risk than before.
Here is a very small sample of how far & fast Locky has spread:
Not sure if your company is safe? Ask us for a FREE Network Security Assessment!
Check out our “Email Red Flags” for what to watch for in suspicious emails.