Locky Ransomware Returns

Thirty-year-old Microsoft loophole exploit being used to spread infamous ransomware.

The cybercriminals behind the infamous Locky ransomware attacks of 2016 have returned and have upped their ransomware game.

But this time, the hackers are using a 30-year-old Microsoft legacy ‘feature’ to trick victims into installing Locky. The new approach to encrypting victims’ computers is part of a new campaign to install Locky  by using compromised Microsoft Word files, and was first spotted by the Internet Storm Center.

Locky is back, and may probably be mailing itself to an inbox near you already

A spokesman for the centre said in a statement that the new method used by the cyber criminals was part of a dual phase attack. Firstly, the hackers use the Necurs botnet to create mass phony invoices laden with malicious phishing style links. When users inadvertently click ‘OK’ on the link, the Locky ransomware then installs itself in the background.

The Internet Storm Center said it had access to “several dozen emails that are part of a spam campaign moving the ransomware. The emails contain one of three distinct Word document attachments spreading the malware and opting for the DDE technique rather than macros, which for more than a year have been the preferred means of downloading malware from a remote server.”

Totally legit

Unfortunately for anyone attempting to defend themselves from this new approach by the criminals, the attackers are using a fully functional Microsoft piece of code.

Like macros, DDE or Dynamic Data Exchange is a legitimate Office feature. It allows a user to pull data from one document and inject it into a second, such as a when a sales invoice is opened in Word and then transferred across to Excel.

The phishing messages carrying this attack come from the Necurs botnet, he writes, and as with other DDE attacks the aim is to convince users to OK through the security warnings. A fake invoice is the scammers’ preferred weapon.

“I think attackers are using DDE because it’s different. We’ve been seeing the same macro-based attacks for years now, so perhaps criminals are trying something different just to see if it works any better. In my opinion, DDE is probably a little less effective than using macros,” said Brad Duncan of the Internet Storm Center. “We might see more DDE-based attacks in the coming weeks, but I predict that will taper off in the next few months.”

What is DDE?

DDE dates back to the late 1980s as a feature that allows users to instantly execute links in a document once a victim opens it. Of course, Microsoft offered a better alternative to DDE several years ago, namely Object Linking and Embedding (OLE). Unfortunately for consumers however, Microsoft still continues to support DDE because it is a legacy part of several Office products and is still widely used throughout the world. Microsoft have maintained that the issues with DDE do not technically represent a bug, and as such have no intention or motive to fix it.

The best defence against this latest ransomware campaign is to be vigilant. Don’t open any attachments or links that you don’t recognize, and don’t click on anything that looks dodgy. It’s also always a good idea to have the latest and most up-to-date antivirus and internet security package available to help protect yourself.