Locky ransomware reappeared with a vengeance Friday, this time not using Office documents combined with social engineering to have the user enable macros, but with a PDF that has a Word file hidden within, which executes a macro script when opened by the user. This scenario allows the phishing email to bypass sandboxes.
Our friends at Malwarebytes blogged that the criminal hacker group controlling the Necurs botnet just opened the spam floodgates again and is pumping out fake documents that deliver the nasty Locky ransomware. Here is a screenshot they showed on their blog:
PDF to Word Macro
The ransomware is dropped following a distribution method we have been seeing more of recently with Dridex which involves embedding a Word document within a PDF file.
When the user clicks the OK button, the rogue Word document is displayed:
Protection
The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.
Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.
And obviously, trained end-users can spot the red flags related to this and would never open the PDF to begin with, let alone then open the Word file hidden within. You need defense-in-depth, meaning layered defenses and it's urgent to create your human firewall by stepping your users through new-school security awareness training and frequently test them with simulated phishing emails.
I strongly suggest you get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://info.knowbe4.com/kmsat_get_a_quote_now
