KEEPNET LABS > Blog > The Ransomware Risks in Office Files

The Ransomware Risks in Office Files

Ransomware, first discovered in September 2013, has been a nightmare for individuals and institutions. It is a hazardous type of ransomware trojan horse. Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector.

Ransomware, discovered in September 2013, has been a nightmare for individuals and institutions over the last two years. It is a type of malware that threatens to prevent access to data or a computer system, typically by encrypting it, unless the victim pays the attacker a ransom. Initially restricted to Microsoft Windows operating systems, Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector. 

Ransomware is distributed by email attachments and encrypts some file types on network storage. Following that, a user is informed that encrypted files will not be unlocked unless the ransom is paid. In other words, it launches a cryptovirology attack that corrupts the files and demands a ransom (money) to restore them. When the ransom is not paid within the specified time frame, it threatens that encrypted files will not be decrypted/restored.

Ransomware in Office Files

Ransomware is frequently spread via emails with bogus electronic invoices. It should be noted, however, that attackers are always developing new ways to infect the virus. Macros in Office files have been identified as a new vector of infection in recent weeks.

Why Macro?

Account specialists and information processors in the corporate world employ office files to formulate and automate commonly performed tasks. Because it is possible to run code and instructions under the auspices of macros, attackers often employ these methods. Malicious scripts (harmful macros) stored in MS Excel or Word and similar files could be used to infect with spyware, encrypt data, and demand a ransom payment.

The Inadequacy of Cyber Security Technology

The practically known antivirus software and sandbox solutions are to a large extent getting nowhere against new generation ransomware. The biggest reason for this situation is that the new generation of ransomware can constantly change its digital signature and thus cannot be recognized with signature-based and static analyses.

Malicious software developers and malicious attackers can circumvent intuitive and behavior-based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious software.

An Example of Ransomware

We share the analysis of an email in our inbox in the following example:

You may receive an email that you believe is in your best interests from a title or individual you never expected. Such a malicious email may appear (impersonate) to come from a familiar or trusted source!

Picture – 1 “An e-mail sample of attached malicious Excel file”

An Example of a Malicious Software Analysis.

In general, software known as “Locky Ransomware,” as shown in Figure -1, is given to the victim by email. The macros in the Excel file become active when the victim gets it from an email and runs it, and malware begins to work through macros.

In this case, it calls our attention to the fact that a corporate name is claimed when the file name is chosen. As with the previous ransomware bill virus samples, the bill names are deliberately chosen to increase believability.

Picture- 2 “ To make the file name convincing, it has templates used in corporate environments.”

When we analyze the macro (ransomware in office files) in picture -2, first it starts processing by downloading the encrypted payload to the computer via an Internet server.

Picture – 3 “Download address of the malicious code fragments”

The Functionality of a Macro

Due to the functionality of macros, office files in Excel or Word format have already turned into the most effective source of abuse used in cyber-attacks. Thus ransomware in office file (s) is one of the significant threats. When we examine ransomware in office files (macros in malicious Excel files) it catches our attention that the encrypted content is decrypted and run by downloading from the Internet.

In this scenario, the malicious software developer did not use code obfuscation. As seen in Picture 2, a portion of this code downloads a malware stage that encrypts your data from and then runs it. The attacker creates malicious macro code, downloads programs to encrypt files on a victim’s computer, and then executes it by decrypting it.

Picture – 4 “Lucky Macro at first downloads the piece of code in encrypted form.”

Downloaded malicious content is named siluans.dll  after being resolved in the DLL file format to the %USERPROFILE%\temp  folder.  We see that it is a standard method that ransomware malware uses, and with this injection method, the encryption process is initiated in pictures 4 and 5.

Picture-5 “ Injection method”

Picture – 6 “DLL Injection Method”

The Malicious Macro Code in the Excel File Passes into Another Phase

We see that malicious macro code that is contained in an Excel file (ransomware in office files) passes into another phase in Picture 6. With the DLL file’s macro assistance, which is required for Locky Ransomware, by using the Rundll32.exe file, the qwerty function is being called.

Picture – 7 “Rundll32.exe qwerty function”

When we analyze the Siluans.dll file, its command control server for accessing encryption keys and File I / O activity performed during the encryption process might be seen in the following pictures as well as in Pictures 7, 8, and 9.

Picture – 8 “Key access”

Picture- 9 “Encrypted files are written back to disk with a singular sequence number and an Odin attachment.”

We see that the person who has made up the malware is using the singular sequence number, that is to say, with the per file charge alternative, which improves the restoring functions.

Picture- 10 “A plain-text channel is preferred for encryption key”

 In Picture-10 We can see that for the encryption key, a plain-text channel is recommended. In summary, the encryption key does not require an additional layer of security.

  Picture- 11 “The standard welcome screen is seen after the encryption process.”

In Picture-11 the welcome screen is seen after the encryption process has been completed. We determined how Ransomware acts with the macro in an Excel file, how the piece of code is required for encryption from a server on the Internet, and how the Master Key is sent to the server by delivering a message to the victim after encryption is completed, and as always, how it demands a ransom.

Picture- 12 “We can only solve our encrypted files via a channel established with Tor Browser Path.”

As is seen in the content of the message, to decrypt, the attacker lists ransom payment routines under the Tor network. 

Solutions Against Ransomware in Office Files

In short, as a result of the analysis of the ransomware in office files, we offer both individual and institutional solutions for your attention.

Individual Solutions

  • Keppnetlabs advises you to beef up your antispam or antivirus protection, as these attacks are mostly carried out via e-mail or similar means.
  • Use intuitive Logger on your personal computer
  • Neutralize the macros for Office files that you do not trust the source
  • Do not open attachments from people you do not know!
  • Be in a similar approach against suspicious invoices or cargo-headed emails.

Free phishing test: Keep your employees aware of the Ransomware threats

Institutional Solutions

  • Intensify your antispam gateway solution and apply it against known ransomware threats.
  • Measure your employees against these phishing attacks and similar tests, then give some training for specific individuals and groups.
  • Ransomware domain intelligence is a healthy solution to prevent risk. Incontrovertibly take advantage of similar services.

Register and measure your company’s risk against cyber-attacks for free on Keepnetlabs.

Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.