Ransomware, first discovered in September 2013, has been a nightmare for individuals and institutions. It is a hazardous type of ransomware trojan horse. Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector.
Ransomware, discovered in September 2013, has been a nightmare for individuals and institutions over the last two years. It is a type of malware that threatens to prevent access to data or a computer system, typically by encrypting it, unless the victim pays the attacker a ransom. Initially restricted to Microsoft Windows operating systems, Ransomware has since been adopted for Android smartphones and Mac computers. Furthermore, ransomware in office files has emerged as a new attack vector.
Ransomware is distributed by email attachments and encrypts some file types on network storage. Following that, a user is informed that encrypted files will not be unlocked unless the ransom is paid. In other words, it launches a cryptovirology attack that corrupts the files and demands a ransom (money) to restore them. When the ransom is not paid within the specified time frame, it threatens that encrypted files will not be decrypted/restored.
Ransomware in Office Files
Ransomware is frequently spread via emails with bogus electronic invoices. It should be noted, however, that attackers are always developing new ways to infect the virus. Macros in Office files have been identified as a new vector of infection in recent weeks.
Why Macro?
Account specialists and information processors in the corporate world employ office files to formulate and automate commonly performed tasks. Because it is possible to run code and instructions under the auspices of macros, attackers often employ these methods. Malicious scripts (harmful macros) stored in MS Excel or Word and similar files could be used to infect with spyware, encrypt data, and demand a ransom payment.
The Inadequacy of Cyber Security Technology
The practically known antivirus software and sandbox solutions are to a large extent getting nowhere against new generation ransomware. The biggest reason for this situation is that the new generation of ransomware can constantly change its digital signature and thus cannot be recognized with signature-based and static analyses.
Malicious software developers and malicious attackers can circumvent intuitive and behavior-based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious software.
An Example of Ransomware
We share the analysis of an email in our inbox in the following example:
You may receive an email that you believe is in your best interests from a title or individual you never expected. Such a malicious email may appear (impersonate) to come from a familiar or trusted source!
In general, software known as “Locky Ransomware,” as shown in Figure -1, is given to the victim by email. The macros in the Excel file become active when the victim gets it from an email and runs it, and malware begins to work through macros.
In this case, it calls our attention to the fact that a corporate name is claimed when the file name is chosen. As with the previous ransomware bill virus samples, the bill names are deliberately chosen to increase believability.
Picture- 2 “ To make the file name convincing, it has templates used in corporate environments.”
When we analyze the macro (ransomware in office files) in picture -2, first it starts processing by downloading the encrypted payload to the computer via an Internet server.
Picture – 3 “Download address of the malicious code fragments”
The Functionality of a Macro
Due to the functionality of macros, office files in Excel or Word format have already turned into the most effective source of abuse used in cyber-attacks. Thus ransomware in office file (s) is one of the significant threats. When we examine ransomware in office files (macros in malicious Excel files) it catches our attention that the encrypted content is decrypted and run by downloading from the Internet.
In this scenario, the malicious software developer did not use code obfuscation. As seen in Picture 2, a portion of this code downloads a malware stage that encrypts your data from nutrahacks.com and then runs it. The attacker creates malicious macro code, downloads programs to encrypt files on a victim’s computer, and then executes it by decrypting it.
Picture – 4 “Lucky Macro at first downloads the piece of code in encrypted form.”
Downloaded malicious content is named siluans.dll after being resolved in the DLL file format to the %USERPROFILE%\temp folder. We see that it is a standard method that ransomware malware uses, and with this injection method, the encryption process is initiated in pictures 4 and 5.
The Malicious Macro Code in the Excel File Passes into Another Phase
We see that malicious macro code that is contained in an Excel file (ransomware in office files) passes into another phase in Picture 6. With the DLL file’s macro assistance, which is required for Locky Ransomware, by using the Rundll32.exe file, the qwerty function is being called.
Picture – 7 “Rundll32.exe qwerty function”
When we analyze the Siluans.dll file, its command control server for accessing encryption keys and File I / O activity performed during the encryption process might be seen in the following pictures as well as in Pictures 7, 8, and 9.
Picture – 8 “Key access”Picture- 9 “Encrypted files are written back to disk with a singular sequence number and an Odin attachment.”
We see that the person who has made up the malware is using the singular sequence number, that is to say, with the per file charge alternative, which improves the restoring functions.
Picture- 10 “A plain-text channel is preferred for encryption key”
In Picture-10 We can see that for the encryption key, a plain-text channel is recommended. In summary, the encryption key does not require an additional layer of security.
Picture- 11 “The standard welcome screen is seen after the encryption process.”
In Picture-11 the welcome screen is seen after the encryption process has been completed. We determined how Ransomware acts with the macro in an Excel file, how the piece of code is required for encryption from a server on the Internet, and how the Master Key is sent to the server by delivering a message to the victim after encryption is completed, and as always, how it demands a ransom.
Picture- 12 “We can only solve our encrypted files via a channel established with Tor Browser Path.”
As is seen in the content of the message, to decrypt, the attacker lists ransom payment routines under the Tor network.
Solutions Against Ransomware in Office Files
In short, as a result of the analysis of the ransomware in office files, we offer both individual and institutional solutions for your attention.
Individual Solutions
Keppnetlabs advises you to beef up your antispam or antivirus protection, as these attacks are mostly carried out via e-mail or similar means.
Use intuitive Logger on your personal computer
Neutralize the macros for Office files that you do not trust the source
Do not open attachments from people you do not know!
Be in a similar approach against suspicious invoices or cargo-headed emails.
Denmark's 7-Eleven stores closed yesterday after a cyber attack. Pay and order systems disrupted in stores across the country. Cyber attack took place in the early morning of August 8, company said it was probably a 'hacker attack', according to Facebook post.
System Administrator Appreciation Day, commonly known as Sysadmin Day or SysAdminDay, is an annual event founded by Ted Kekatos, a system administrator.
The event exists to recognize the efforts of sysadmins and other IT professionals.
It is observed on the fourth Friday of July.
Discovery was posted on GitHub and Twitter by KF@d0tslash and mavproxyuser. The PDB has a 433 MHz backdoor. To take control of the bot, the Flipper Zero multitool is used to communicate wirelessly via RFID, Bluetooth and NFC.
Join Our Newsletter
Sign up to learn about the latest threats, hacking methods, and news.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.