​Locky ransomware spreads with macro-enabled .docm Word docs

Caption: Don't open attachments with subject headers like these

Credit: FireEye

Caption: Don't open attachments with subject headers like these

Credit: FireEye

The operators of the Locky file-encrypting ransomware have switched tactics for a new wave of nasty spam in August.

Three months ago computers were hit by a barrage of email spam bearing malicious JavaScript attachments. The malicious attachments were usually hidden within .zip archive files that once opened unloaded Locky ransomware on victims.

Prior to using JavaScript to download and execute Locky, the ransomware network used a malicious macro in a .doc Word document to land an infection. Typically the recipient of the email had to be tricked into enabling macros in Word or .doc file extension. Once macros were enabled, the malicious macro would download an executable file, namely Locky, and start to encrypt files.

Bleeping Computer reported at the time that Locky-loaded spam usually contained bogus invoice attachments that if opened would display gibberish below instructions to “enable macro if the data encoding is incorrect”.

The latest Locky tactic is the use of DOCM format attachments, according to researchers at FireEye. The .docm extension refers to a Macro-enabled Word document, which Microsoft introduced alongside the more familiar .docx extension in Office 2007.

According to FireEye, at the beginning of August Locky’s operators dropped their JavaScript downloads and dialled up three “massive” waves of spam on the 9th, 11th, and 15th of August using malicious .docm attachments.

The spam was directed at recipients across the world, but by far the most affected nation was the US, which accounted for half of the malicious attachments detected by FireEye. It was followed by several Asia Pacific nations, including Japan, Korea, Thailand, Singapore, Hong Kong, and Malaysia. Australia was 12th on FireEye’s list of affect nations.

Industry-wise, FireEye says healthcare was the heaviest hit by the three waves of spam containing Locky ransomware.

Spam dated August 9 includes a “Documents Requested” subject field with an attachment titled “Untitled(354).docm". A second sample from August 11 had the subject header “New Doc 41-62” with an attachment “New Doc 41-62.docm”. A third on 15 August was titled “Emailing - 1050742880188” with the attachment’s title containing only the number, and a message that “Vicky has asked me to forward you the finance documents (Please see attached)”.

Several other security firms have in the past two months reported spam with similar characteristics leading to Locky ransomware.

TrendMicro found .docm attachments in a spam campaign from 2014 that was used to spread the banking malware Zbot or Zeus. Recipients had to enable macros to become infected. TrendMicro noted that .DOCM files were an uncommon infection vector since it was still a relatively new format.

Join the CSO newsletter!

Error: Please check your email address.

Tags malicious macrosencrypted filesLocky ransomwareZbotmacro-enabledjavascriptransomwarecyber securityemailMacrosTrendMircroZeus botnet

More about FireEyeMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place