Crypto ransomware has become a true scourge of the contemporary worldwide web. Encrypted personal files and nagging demands to pay ransoms for recovery can become quite a nightmare for those infected. Fortunately, there have been a number of breakthroughs allowing the attacked individual users and organizations to decrypt data locked by some strains of this malware. The happy ending incidents are rare, though. Ransomware is evolving, and the newer samples step away from the well-trodden path, both in terms of distribution techniques and the modus operandi inside contaminated machines. As far as the harmful code circulation goes, a tactic involving .docm files is on a particularly notable rise at this point.
What’s the idea behind this type of ransomware serving? It’s based on the use of vulnerable Microsoft Office documents. In particular, the malefactors have come to exploit VBA (Visual Basic for Applications) macros, which pose a known security threat if handled in a certain fashion. The methodology that’s trending in this regard relies on deploying macro vulnerabilities in Microsoft Word files. An example is the Locky ransomware, one of the most widespread crypto trojans which has held the files of thousands of users for ransom over the past couple of months. Just like the highly dangerous banking malware called Dridex, said infection is promoted through deceptive spam emails, allegedly invoices, which contain a Word document as an attachment.
The attack flow presupposes that the victim manually enables macros in the aforementioned file. These components are disabled by default, but the text inside the rogue invoice isn’t readable. A gullible user who gets interested in the contents is hence likely to do what’s prompted, thus unknowingly authorizing remote code execution by the adversary. There have been some deviations from this exact technique lately, while the main idea remains basically the same. The change has to do with the way the potentially unsafe .docm objects are delivered to Windows PCs and the ransomware loader infiltrates them.
Along with the email-based method, the serving of contagious .docm files may also take place via compromised websites. For this attack to be carried out on a large scale, the perpetrators hack popular online resources, often times managing to keep the compromise undetected by webmasters. The criminals furtively inject a script into the targeted web pages, which spawns random-named PHP files in the site’s code. This activity is intended to reroute visitors to a landing page that automatically starts downloading an infectious .docm entity to the victim’s computer. The ransomware operators then take advantage of a known macros vulnerability to run random commands remotely. The methodology of using hacked web pages to host harmful .docm files is more beneficial to the threat actors than phishing hoaxes, because it isn’t as likely to raise any red flags on email clients’ end.
An upshot of such an incursion is the deployment of crypto virus code like Locky or similar. The ransom trojan scans the machine and the network for potentially sensitive files, encrypts them and tells the victim to pay up otherwise the data will stay unrecoverable. If confronted with a sample like that, users should try all alternative recovery routines before agreeing to submit the ransom.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the .docm malware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.