Ransomware disguised as word documents. Why we need to train users to pay careful attention.
An updated version of an old ransomware distribution malware called Amadey Bot is making the rounds, this time distributing a new version of ransomware – LockBit 3.0. The new LockBit variant has been updated to be more adept at hiding from anti-malware software.
The phishing attack is targeting companies and using phishing cleverly, disguising the ransomware in Word documents that are commonly exchanged and opened. The delivery can be a Visual Basic macro (VBA) or an executable file using a routine title such as resume.exe
In the first case, the user must take an action to let the macro run. This picture, courtesy of Ahn Labs, shows what the unsuspecting user sees.
The second distribution method is a little less obvious, but does require the target to open a file that displays a Word icon but has the name resume.exe. The “exe” suffix should be a dead giveaway, but to those receiving a large number of resumes, it’s possible that one of these could easily slip by tired eyes.
While we should train our employees to avoid documents from unknown sources, legal notices and resumes are both items that usually come from an unknown or at least unfamiliar source. Closer inspection of all incoming documents and understanding not to authorize any action from an incoming message must be consistently reinforced.
Not paying and paying a big price
Australia’s Medibank made the news this week when the company refused to pay a ransom, even though the data of 9.7 million customers was at risk.
The attackers began to leak personal information on the dark web in a forum that has been linked to ransomware gang REvil.
Names, addresses, phone numbers, email addresses, passport numbers of international students, and health claims are included in the data stolen from Medibank’s systems
The company still refused to pay, even though a company statement noted, “We expect the criminal to continue to release files on the dark web.”
Australian Prime Minister Anthony Albanese made a statement that the Australian government was working actively with investigators on what is part of a string of attacks that have focused on Australian corporations. Albanese noted that he was a Medibank customer as well, but it has not been confirmed if his data was compromised.
The company has paid a stiff price for the breach, with its shares dropping 21 per cent after the attack.
Devilish ransomware with no reason
A new and vicious ransomware attack has been circulating over the past weeks. The Azov ransomware is a “wiper” that destroys data, and in keeping with the satanic theme, it destroys 666 bytes at a time.
Unlike many other ransomware attacks, which try to elicit a payment to unlock data or prevent the release of stolen data, there is no request for a payment, nor is there any way provided to restore the destroyed data. The attack seems to be purely malicious, although there is some mention of “ignoring Crimea” as a motive.
There is also a curious twist to the ransom note shown in a recent Bleeping Computer article. The note specifically mentions journalist Lawrence Abrams as the person to contact regarding the restoration of data. Abrams is most certainly not involved in the ransomware distribution, as he is journalist who posts regularly on ransomware and other security topics.
Both Abrams and the person named as author of the ransom note, security researcher Hasherezade, have denied any involvement with the malware.
To whomever it concerns: I am NOT in any ways affiliated with Azov (or any other #ransomware). It’s a common practice among cyber criminals to try to frame security researchers. pic.twitter.com/zvlwWvroaD
— hasherezade (@hasherezade) October 30, 2022