Ransomware Hides in Attachments

Ransomware attacks are getting smarter and smarter as the public becomes aware of them. The last option is to hide the malicious macro inside a Word document attached to a seemingly harmless PDF file.

The new ransomware campaign highlighted on the Naked Security blog works as follows:

  1. You’ve been sent a spam email with a PDF attachment (which should already be a red flag), but the PDF looks safe and understandable with most antivirus applications.
  2. The PDF has a document attached that Acrobat Reader tries to open when you open the PDF.
  3. The document opens in Microsoft Word, then you are prompted to allow editing. But this is actually a social engineering attack trying to get you to enable the VBA macro.
  4. When you say yes to allow editing, the VBA macro runs and then downloads and runs the Locky ransomware ransomware .

By hiding the actual attack in an attached document in another secure document, attackers can bypass most antivirus filters. SophosLabs compares the approach to a Russian nesting doll hiding an attack inside a file within a file.

Fortunately, to avoid such attacks, you just need to follow the same rules that you had to follow at all times – with one caveat. Beware of email attachments, yes, but also don’t rely entirely on your security software when it tells you that a suspicious file looks safe.

Even if it seems like it’s coming from a friend, take a few extra minutes to make sure it’s really him. Attackers are increasingly disguising themselves as people you trust . And never include macros in documents you receive by email. Microsoft turns off automatic macros by default, but don’t let social engineering tricks make you turn them back on.


Leave a Reply

Your email address will not be published. Required fields are marked *