SophosLabs and our SurfRight colleagues just alerted us to an intriguing new ransomware sample dubbed RAA.
This one is blocked by Sophos as JS/Ransom-DDL, and even though it’s not widespread, it’s an interesting development in the ransomware scene.
Ransomware, like any sort of malware, can get into your organisation in many different ways: buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.
But email attachments seem to work best for the cybercrooks, with fake invoices and made-up court cases amongst the topics used by the criminals to make you think you’d better open the attachment, just in case.
In 2015, most ransomware arrived in Word documents containing what are known as macros: script programs that can be embedded in documents to adapt their content in real time, usually as part of your company’s workflow.
The problem with macros, however, is that they aren’t limited to adapting and modifying just the document that contains them.
Macros can be full-blown programs as powerful as any standalone application, and they can not only read and write files on your C: drive and your local network, but also download and run other files from the internet.
In other words, once you authorise a macro to run, you effectively authorise it to install and launch any other software it likes, including malware, without popping up any further warnings or download dialogs.
You can see why cybercrooks love macros!
Fortunately, macros are turned off by default, so the crooks have to convince you to turn them back on after you open their malicious documents.
Excuses they’ve used include needing to enable macros “for security reasons” (they mean forinsecurity, of course), and to change character sets to make documents legible, like this sample that delivered the Locky ransomware