Locky ransomware reappeared with a vengeance last Friday, this time not using Office documents combined with social engineering to have the user enable macros, but with a PDF that has a Word file hidden within, which executes a macro script when opened by the user. This scenario allows the phishing email to bypass sandboxes.
Malwarebytes blogged that the criminal hacker group controlling the Necurs botnet just opened the spam floodgates again and is pumping out fake documents that deliver the nasty Locky ransomware.
The Locky ransomware is dropped following a distribution method we have been seeing more of recently with Dridex which involves embedding a Word document within a PDF file.
When the user clicks the OK button, the rogue Word document is displayed. The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.
Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.
And obviously, trained end-users can spot the red flags related to this and would never open the PDF to begin with, let alone then open the Word file hidden within.
You need defense-in-depth, meaning layered defenses and it’s urgent to create your human firewall by stepping your users through new-school security awareness training and frequently test them with simulated phishing emails. Don’t wind up with a ransomware infection: “All locked up and no place to go.
More information can be found here.