locky

Social engineering at its best: ransomware delivery methods

I wrote already about Ransomware (and here), but in a more generic way as I will do now. From me to me, with the subject “Documents from work” is the subject of a new Locky ransomware. Attached is a Word document containing macros. In the document (which is actually an archive) is a file called  word\vbaProject.bin. That file seems to be the trigger that downloads the ransomware binary.   This is the link to the VirusTotal detection: https://virustotal.com/en/file/28ba8362af69958964bf8d7e23664cddc625e67b55ff5d5e95e9feef74158e96/analysis/1469020147/ At the moment of writing this post, 30/53 engine detect it.   My goal is not to analyze here the ransomware, but the delivery. The social engineering used here has as soly purpose to make the user to open and executed the attachment. There are subjects of emails which simply “force” some people to open them without thinking. FW:Expenses Report # xxxx payment confirmation Additional Costs recent bill  RE: Additional Information Needed #aaaaaa What you MUST Do The emails and attachments are not harmful just sitting in your inbox or Trash folder. You MUST delete emails which you didn’t send and have these characteristics: from yourself to yourself contain attachments (archives, .JS, .DOC, .DOCX, .DOCM, XLS, .XLSX, etc.) have a blank body area or few lines…


About ransomware, Google malvertising and Fraud

I am sick and tired to see so many people affected by this wave of ransomware attacks. I don’t want to go into details about Ransomware like Locky because it has been written quite a lot about it. The most common way that Locky arrives is as follows: You receive an email containing an attached document. The document advises you to enable macros “if the data encoding is incorrect.” If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. The saved file serves as a downloader, which fetches the final malware payload from the crooks. The final payload could be anything, but in this case is usually the Locky Ransomware. Read more details here (NakedSecurity of Sophos).   Now, desperate people who just got all their document encrypted by Locky, search the web for possible solutions. Remember: Locky scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close