Ransomware is a rapidly growing plague on computer users, and the latest variant of Locky adds malicious Word macros to its weaponry.
If you must open Word documents created by others, here are some ways to ensure you don’t become a ransomware victim.
When you’re unlucky enough to get Locky
Locky ransomware show up in many formats, but in most cases it’s disguised as an invoice, shipping document, or similar-seeming legitimate attachment. Typically, those attachments are Word or Excel documents, but the malware might also be hiding inside a ZIP or RAR file.
No matter how Locky arrives, the end effect is the same — and frighteningly obvious. You’ll discover that all your documents are encrypted: not just those on the infected computer, but also files on mapped external drives and network locations. Even cloud-based documents are at risk. It can also disable Windows’ volume shadow copies.
It gets worse: Locky will look for bitcoin wallets and try to encrypt them as well.
Locky can even store information in the Windows Registry.
Here are some reminders of ways to protect yourself from this latest variant:
The first line of defense remains unchanged
Regular Windows Secrets readers should already know the first rule of blocking ransomware and similar forms of malware: Don’t open email attachments that did not come from truly trusted sources. I’d even avoid attachments forwarded by those you know well — you can’t know the original source of the document.
Note that the ransomware payload typically isn’t triggered by simply viewing the email message; you have to open the malicious attachment to become infected.
The next best defense is using an email service that filters your email. If you never see the attachment, you won’t be tempted to open it. Many major Interest service providers will filter and clean email — it’s in their interests to protect their subscriber traffic.
If your ISP doesn’t provide effective mail filtering and cleaning, you should sign up for one of the free providers that do. You can, for example, forward your mail through Gmail or Outlook.com. I also recommend creating a separate account on one of the free, online mail services; then use that address for the sites that might lead to more spam in your inbox.
Many of the malicious emails and attachments look as if they came from legitimate businesses. It can be hard to tell a bogus FedEx notification from a real one. If you’re suspicious of an email, open it on a platform that’s less likely to be hit by ransomware. For example, I often use my iPhone to open up suspect mail. If it proves safe, I will then open it on one of my Windows machines. But even that’s not foolproof. As noted in a recent Reuters story, some OS X machines saw their first successful ransomware attack. The “KeRanger” exploit was piggy-backing on torrent sites. (That’s what you get for illegally downloading media — I jest: there are legitimate reasons for using BitTorrent.) Experts reportedly expect to see new forms of attachments on Macs.
Preventing infection by blocking macros
Locky’s use of Office-based macros is somewhat unique. If you’re unlucky enough to launch the malware, and if you’ve not taken precautions to block certain macros, the encryption process will begin. Microsoft’s Malware Center hasposted tips for protecting yourself from bogus macros.
It starts with checking whether you have any Word docs or Excel worksheets that contain macros. If you don’t have or use macros, take the following steps to better protect yourself from malicious documents that might slip onto your machine.
- Open a Microsoft Word document.
- Click the File tab and then Options.
- In the Trust Center, click Trust Center Settings.
- In the Macro Settings section, check that the default Disable all macros with notification is enabled.
- Click OK.
If you do use macros, the better option is: Disable all macros except digitally signed macros. This will ensure that unsigned macros don’t launch when you open a document.
Looking for the yellow banner when opening files
If you have a newer Office platform — 2010 through 2016, it knows where opened documents have come from. Opening Word or Excel email attachments will trigger the yellow warning shown in Figure 1. (The wording will vary slightly with different Office versions.) Earlier platforms might also display the warning — if you’ve installed specific updates. But as I’ve pointed out in a Patch Watch column, the updated Office versions weren’t perfectly successful when dealing with file opening on older platforms.
Figure 1. Office’s warning that a document that arrived in email could be malicious
If you’re using .docx and .xlsx formats, newer Office versions tend to be more effective at spotting and blocking macros. But the key is still to always watch for the yellow banner at the top of opened files. If the document came via the Web, you can enable macros — but, again, only if you truly trust the source.
What do you have access to?
An often overlooked step for limiting damage from ransomware is checking what you have access to from your PC. If you can browse to a location on an internal drive, on an external USB drive, in the cloud, and so forth, the ransomware payload has access to that location, too.
With that in mind, review how your backup software is set up. It’s one of the reasons I don’t completely trust Windows 10’s File History system; it saves a copy to an external USB hard drive that you — and ransomware — have full access to. File History makes no attempt to hide the location of archived files; hiding them would help protect them from ransomware encryption.
I wouldn’t turn File History off, but I would add the old-school method of rotating backup media (to multiple, external USB drives). Combine that strategy with cloud backup that includes versioning. In short, never rely on one backup system.
Ransomware is getting only cleverer at tricking computer users into downloading and launching malicious code. As it adapts, so too must we. Open only those attachments you expected to receive — and don’t worry if your friends think you are a tad paranoid when you call them to check that they really sent an email with any form of attached file.
A little paranoia helps keep us all safe.
Bradley, Susan. “Don’t be Unlucky With Locky” Windows Secrets March 17, 2016