Ransomware, first discovered in September 2013, has been a nightmare for individuals and institutions. It is a hazardous type of ransomware trojan horse. Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector.
Ransomware, discovered in September 2013, has been a nightmare for individuals and institutions over the last two years. It is a type of malware that threatens to prevent access to data or a computer system, typically by encrypting it, unless the victim pays the attacker a ransom. Initially restricted to Microsoft Windows operating systems, Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector.
Ransomware is distributed by email attachments and encrypts some file types on network storage. Following that, a user is informed that encrypted files will not be unlocked unless the ransom is paid. In other words, it launches a cryptovirology attack that corrupts the files and demands a ransom (money) to restore them. When the ransom is not paid within the specified time frame, it threatens that encrypted files will not be decrypted/restored.
Ransomware is frequently spread via emails with bogus electronic invoices. It should be noted, however, that attackers are always developing new ways to infect the virus. Macros in Office files have been identified as a new vector of infection in recent weeks.
Account specialists and information processors in the corporate world employ office files to formulate and automate commonly performed tasks. Because it is possible to run code and instructions under the auspices of macros, attackers often employ these methods. Malicious scripts (harmful macros) stored in MS Excel or Word and similar files could be used to infect with spyware, encrypt data, and demand a ransom payment.
The practically known antivirus software and sandbox solutions are to a large extent getting nowhere against new generation ransomware. The biggest reason for this situation is that the new generation of ransomware can constantly change its digital signature and thus cannot be recognized with signature-based and static analyses.
Malicious software developers and malicious attackers can circumvent intuitive and behavior-based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious software.
We share the analysis of an email in our inbox in the following example:
You may receive an email that you believe is in your best interests from a title or individual you never expected. Such a malicious email may appear (impersonate) to come from a familiar or trusted source!
In general, software known as “Locky Ransomware,” as shown in Figure -1, is given to the victim by email. The macros in the Excel file become active when the victim gets it from an email and runs it, and malware begins to work through macros.
In this case, it calls our attention to the fact that a corporate name is claimed when the file name is chosen. As with the previous ransomware bill virus samples, the bill names are deliberately chosen to increase believability.
When we analyze the macro (ransomware in office files) in picture -2, first it starts processing by downloading the encrypted payload to the computer via an Internet server.
Due to the functionality of macros, office files in Excel or Word format have already turned into the most effective source of abuse used in cyber-attacks. Thus ransomware in office file (s) is one of the significant threats. When we examine ransomware in office files (macros in malicious Excel files) it catches our attention that the encrypted content is decrypted and run by downloading from the Internet.
In this scenario, the malicious software developer did not use code obfuscation. As seen in Picture 2, a portion of this code downloads a malware stage that encrypts your data from nutrahacks.com and then runs it. The attacker creates malicious macro code, downloads programs to encrypt files on a victim’s computer, and then executes it by decrypting it.
Downloaded malicious content is named siluans.dll after being resolved in the DLL file format to the %USERPROFILE%\temp folder. We see that it is a standard method that ransomware malware uses, and with this injection method, the encryption process is initiated in pictures 4 and 5.
We see that malicious macro code that is contained in an Excel file (ransomware in office files) passes into another phase in Picture 6. With the DLL file’s macro assistance, which is required for Locky Ransomware, by using the Rundll32.exe file, the qwerty function is being called.
When we analyze the Siluans.dll file, its command control server for accessing encryption keys and File I / O activity performed during the encryption process might be seen in the following pictures as well as in Pictures 7, 8, and 9.
We see that the person who has made up the malware is using the singular sequence number, that is to say, with the per file charge alternative, which improves the restoring functions.
Picture- 10 “A plain-text channel is preferred for encryption key”
In Picture-10 We can see that for the encryption key, a plain-text channel is recommended. In summary, the encryption key does not require an additional layer of security.
In Picture-11 the welcome screen is seen after the encryption process has been completed. We determined how Ransomware acts with the macro in an Excel file, how the piece of code is required for encryption from a server on the Internet, and how the Master Key is sent to the server by delivering a message to the victim after encryption is completed, and as always, how it demands a ransom.
As is seen in the content of the message, to decrypt, the attacker lists ransom payment routines under the Tor network.
In short, as a result of the analysis of the ransomware in office files, we offer both individual and institutional solutions for your attention.
Free phishing test: Keep your employees aware of the Ransomware threats
Register and measure your company’s risk against cyber-attacks for free on Keepnetlabs.
