KnowBe4 Warns about New Ransomware Hidden in Word Docs

Share Article

New “Locky” ransomware is loaded with professional grade malware.

KnowBe4 warns of email that looks anything like this

Technically speaking, your users are the new DMZ, and you need to create a human firewall. Effective security awareness training is a must these days.

KnowBe4 Inc, the industry-leading security awareness training and integrated phishing platform, issued a warning to its customers today of a vicious new strain of ransomware disguised within Word documents. This new ransomware strain, somewhat amateurishly called "Locky", is professional grade malware and starts out with an email and a Microsoft Word attachment containing malicious macros, making it hard to filter out. Few antivirus products are catching it. Social engineering is used twice to trick users into opening the attachment and again to enable the macros in the Word file. When the Word document is opened, it looks like the content of the document is scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.

According to KnowBe4’s CEO Stu Sjouwerman, “Once a victim enables the macros, they download an executable from a remote server in the %Temp% folder and execute it. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.”

The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice". This new strain was first reported in the UK by Kevin Baumont, and Larry Abrahms at BleepingComputer did a more in-depth analysis.

According to Abrams, "It targets a large amount of file extensions and even more importantly, encrypts data on unmapped network shares. Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm. Like CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data. "

Sjouwerman noted, “The old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering. If you trust antivirus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”

KnowBe4 advises the following steps be taken:

“1. Go hunt for this Group Policy Setting in the Trust Center, and set it to “Disable all except digitally signed macros”.

2. Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

3. Set your shared folder location URL in here, e.g. \\blah.local\public\office (More detail can be found at Microsoft Technet.)
4. Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents. If Mr. Bad Guy emails Joe in Accounts Payable a Bad File, the macro won’t run.”
The user won’t see a prompt to enable the macro, nor can they from the Office options.
Sjouwerman added “Technically speaking, your users are the new DMZ, and you need to create a human firewall. Effective security awareness training is a must these days.”

For more information visit: http://www.knowbe4.com

About KnowBe4
KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, KnowBe4 was created by two of the best known names in cybersecurity, Kevin Mitnick (the World’s Most Famous Hacker), and Inc. 500 alum serial security entrepreneur Stu Sjouwerman, to help organizations manage the problem of social engineering tactics through new school security awareness training. More than 3,000 organizations use KnowBe4’s platform to keep employees on their toes with security top of mind. KnowBe4 is used across all industries, including highly regulated fields such as finance, healthcare, energy, government and insurance.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Michael Becce
Visit website