Ransomware Hides in Attachments
Ransomware attacks are getting smarter and smarter as the public becomes aware of them. The last option is to hide the malicious macro inside a Word document attached to a seemingly harmless PDF file.
The new ransomware campaign highlighted on the Naked Security blog works as follows:
- You’ve been sent a spam email with a PDF attachment (which should already be a red flag), but the PDF looks safe and understandable with most antivirus applications.
- The PDF has a document attached that Acrobat Reader tries to open when you open the PDF.
- The document opens in Microsoft Word, then you are prompted to allow editing. But this is actually a social engineering attack trying to get you to enable the VBA macro.
- When you say yes to allow editing, the VBA macro runs and then downloads and runs the Locky ransomware ransomware .
By hiding the actual attack in an attached document in another secure document, attackers can bypass most antivirus filters. SophosLabs compares the approach to a Russian nesting doll hiding an attack inside a file within a file.
Fortunately, to avoid such attacks, you just need to follow the same rules that you had to follow at all times – with one caveat. Beware of email attachments, yes, but also don’t rely entirely on your security software when it tells you that a suspicious file looks safe.
Even if it seems like it’s coming from a friend, take a few extra minutes to make sure it’s really him. Attackers are increasingly disguising themselves as people you trust . And never include macros in documents you receive by email. Microsoft turns off automatic macros by default, but don’t let social engineering tricks make you turn them back on.