Your IT Consultant

New Infection Threat – Word Macros Delivering Ransomware

February 18, 2016

Back in the day, Word macros were used to deliver viruses and Trojans to your computer. As a result, Microsoft Office has macros disabled by default. Security researchers have now discovered a new strain of ransomware called "Locky" that installs by using a malicious macro in a Word document. The document arrives as an attachment to an e-mail message. When opened, the user sees garbled text and a clear message to enable macros as a solution to properly read the contents. If you allow the macro to execute, the data on your computer gets encrypted and is held hostage until you pay the requested ransom amount.

Perhaps the scariest news about Locky is that it also encrypts data on unmapped network shares. No longer are non-drive letter sources safe. We now have to worry about data that is accessed via UNC (Universal Naming Convention). This means that data on your server is at risk if you don't use drive letters (e.g. H:, L:, etc.) and use UNC (\\server name\share name). Make sure your IT provider is aware of this new risk.

Several lessons here. Don't open any attachments that appear to come from suspicious sources or that you are not expecting. Lesson two…why in the hell are you enabling macros for a document that is fishy to begin with? If your data gets encrypted by Locky, perhaps we should call it two factor stupidity.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com