Over the past week we have detected a new strain of Ransomware that has been spreading locally.

It starts by embedding itself in the Windows Startup Folders that creates a link to a Text document in the temp folder. Contained within the text document is a script that starts encrypting all documents.

There are a variety of ways that it gets into your system and one of them is through a Microsoft Word Dropper that is part of a phishing campaign delivering a malicious Microsoft Word document (.docm). In this sample, the malware author tricks the user into clicking the “Enable content and Enable Editing” ribbon using a warning that Microsoft Word’s features will be disabled after a certain date

MICROSOFT Word Dropper

MICROSOFT Word Dropper

The big thing is whenever you see the Words “Enable Content” is to be extremely suspicious.  IT’S THE MOST DANGEROUS QUESTION/BUTTON YOU CAN CLICK ON TO ALLOW MALWARE TO RUN ON YOUR COMPUTER


So the question is, what can users do to ensure that they are protected?

At this stage there is no definitive protection, but you can do the following:-

The biggest thing to remember is that the sooner you respond to a suspected Ransomware attack the easier it is to nip the problem in the bud and get back up and running with minimal down time and lost data. If in doubt at all, shut your machines down and contact your team.