New Ransomware Infects by Using MS Word Macros

By Joe Casad

Murky malware starts a PowerShell session to deliver malicious code and lock up data

Researchers at Carbon Black have discovered a new form of ransomware that uses Microsoft Word macros to infect the target system. The PowerWare attack starts when a macro-enabled Word doc arrives, either through email or some other delivery method. When the victim opens the file, the macros open a PowerShell session, which downloads and executes the malicious code.

According to the blog post at the Carbon Black website, “Traditional ransomware variants typically install new malicious files on the system, which, in some instances, can be easier to detect. PowerWare asks PowerShell, a core utility of current Windows systems, to do the dirty work. By leveraging PowerShell, this ransomware attempts to avoid writing new files to disk and tries to blend in with more legitimate computer activity.”

The attack locks up the user's files and asks for a $500 ransom. If the ransom is left unpaid for two weeks, it doubles to $1000.

To avoid the attack, don't click on strange Word files, and be sure to disable default execution of Word macros. Initial implementations of the PowerWare attack are not as sophisticated as some ransomware variants. The blog post at Carbon Black says the attack “phones home with a plain-text protocol,” which means, if you have a packet capture tool, you can capture the domain and IP address of the attacker, then obtain the encryption key.

03/30/2016