The ransomware risks in office filesOrhan Sari
Free phishing test: Keep your employees aware of the Ransomware threats
Ransomware has become a nightmare for individuals and institutions for the last 2 years, previously found in September of 2013. It is a dangerous kind of trojan horse in the ransom category. Initially bound to Microsoft Windows operating systems, ransomware has also been implemented for Android devices and Mac computers in the meantime. Moreover, as a new way of attack, we see ransomware in office files.
Ransomware is basically transmitted by e-mail attachments, subsequently encrypts some of the file genres inside of disks that are in the network. After, a user is told that encrypted files wouldn’t be decrypted without paying the ransom. In other words, it renders a cryptovirology attack that adversely affects the files, and postulate a ransom (payment) to reinstate it. In some sorts, when the ransom isn’t paid in the given time, it threatens that encrypted files wouldn’t be decrypted/restored.
Ransomware in Office Files
Ransomware commonly sprawled throughout the e-mails that contain fake electronic invoices. However, it should be kept in mind that attackers continue to develop new methods to infect the virus. In recent weeks, as a new way of infections, we see macros in Office files.
The office files are used by account experts and information processors in the business world to formulate and automatize duties frequently applied. In the auspices of macros, because it is possible to run the code and instruction, the attackers typically use these means. The malicious codes (harmful macros) kept in either MS excel or word and similar files could be employed to infect with spyware to encrypt data and in return demand a ransom to pay.
The inadequacy of Cyber Security Technology
The practically known antivirus softwares and sandbox solutions are to a large extent get nowhere against new generation ransomwares. The biggest reason for this situation is that the new generation ransomwares have the capability to constantly change their digital signature cannot be recognised with signature-based and static analyses.
Malicious software developers, malicious attackers can circumvent intuitive and behaviour-based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious softwares.
An example of Ransomware
We share the analysis of an email in our inbox in the following example:
In a title that you never expect or an individual, you never expect from, you can receive an e-mail that you believe is in your interest. Such a malicious e-mail may seem (imitate) to be coming from an acquaintance or source that you expect! We begin our analysis with an e-mail trick by reminding that it is possible to send an e-mail on someone’s behalf.
Picture – 1 “An e-mail sample of attached malicious Excel file”
An example of a Malicious Software Analysis.
In general, a malware known as “Locky Ransomware” as it can be seen in Picture – 0, is sent by email to the victim. When victim downloads the Excel file from an e-mail and runs it, the macros in the Excel file becomes active and malware begins to work through macros.
In this example, it draws our attention that to make the file name convincing, when the file name is selected, a corporate name is entitled. Same as in the previous ransomware bill virus examples we have seen that the bill names are carefully selected to enhance its credibility.
Picture- 2 “ To make the file name convincing, It has templates used in corporate environments.”
When we analyze the macro (ransomware in office files) in picture -2, first it starts processing by downloading the encrypted payload to the computer via an Internet server.
Picture – 3 “Download address of the malicious code fragments”
Functionality of Macro
Due to the functionality of macro, Office files in Excel or in Word format had already turned into the most effective source of abuse used in cyber-attacks. Thus ransomware in office file (s) are one of the significant threats. When we examine ransomware in office files (macros in malicious Excel files) it attracts our attention that the encrypted content decrypted and run by downloading from the Internet.
Malicious software developer didn’t use code obfuscation for this case. As you can see in Picture – 2, part of this code is downloading malware stage which encrypts your data from nutrahacks.com then runs it. The person writes malicious macro code, downloads a piece of code to encrypt files on a victim’s computer and then runs by decrypting it.
Picture – 4 “Lucky macro at first downloads the piece of code in encrypted form.”
Downloaded malicious content is named as siluans.dll after being resolved in the DLL file format to the %USERPROFILE%\temp folder. We see that it is a standard method that ransomware malware uses and with this injection method the encryption process initiated in pictures 4 and 5.
Picture-5 “ Injection method”
Picture – 6 “DLL Injection Method”
Malicious Macro Code in Excel file Passes into another Phase
We see that malicious macro code those are contained in an Excel file (ransomware in office files) passes into another phase in Picture – 6. With DLL file’s macro assistance which is required for Locky Ransomware, by using Rundll32.exe file qwerty function is being called.
Picture – 7 “Rundll32.exe qwerty function”
When we analyze Siluans.dll file, its command control server for accessing encryption keys and File I / O activity performed during encryption process might be seen in the following Pictures as well as in the Pictures 7, 8, and 9.
Picture – 8 “Key access”
Picture- 9 “Encrypted files are written back to disk with a singular sequence number and odin attachment”
We see that the person who has made up the malware is using the singular sequence number, that is to say, with per file charge alternative, improves the restoring functions.
Picture- 10 “A plain-text channel is preferred for encripton key”