87% of Ransomware Uses Malicious Macros to Infect Devices

Microsoft recently rolled out a new security feature that would block macros by default. There was a hiccup in that process, as Microsoft had to do a temporary U-turn, in response to negative feedback from users. Microsoft has now taken the feedback on board and has improved usability, and the new security feature has now been rolled out again.

An investigation by the cybersecurity firm Venafi and the criminal intelligence provider, Forensic Pathways, has confirmed why this is such an important feature for protecting against malware and ransomware attacks.

87% of Ransomware Found on the Dark Web Uses Macros to Infect Devices

The study was conducted between November 2021 and March 2022 and involved an analysis of 35 million dark web URLs using Forensic Pathway’s Dark Search engine. Those URLs included dark web marketplaces and hacking forums, where malware, ransomware, source code, and data are traded and sold.

The research uncovered 475 dark web pages where ransomware products and services were sold, including postings by some of the leading ransomware-as-a-service operations such as Egregor, BlackCat, Babuk, Darkside, HiddenTear, and WannaCry. In total 30 different ransomware brands were identified within forums and marketplaces, and 87% of the identified ransomware has been delivered using malicious macros in Office files.

Macros are incredibly useful, as they allow repetitive tasks to be automated, especially in spreadsheets. While they are used extensively by businesses, they are also abused by cyber threat actors. Macros can be added to Office documents that will automatically run malicious code when the documents are opened if the macros are allowed to run. A variety of social engineering techniques are used to convince victims to enable macros.

Due to the high risk of macros being used to run malicious code that can be delivered via email, Microsoft said it would be automatically blocking macros by default in Office files delivered via the Internet. The decision was welcomed by the security community, but Microsoft was forced to roll back the change due to negative feedback by users, as in practice the security measure was found to cause problems for legitimate users of macros.

“Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft’s decision to roll back the disabling of macros should scare the pants off everyone,” Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.

The rollback was only temporary to allow changes to be made to improve usability for non-malicious macro users, with Microsoft rolling out the updated security feature in late July. “While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector,” said Bocek.

Another security measure that should be considered by businesses is to use code signing certificates to authenticate macros. “Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks,” said Bocek. “This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare, and energy where macros and Office documents are used every day to power decision making.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news