Over the past week we have detected a new strain of Ransomware that has been spreading locally.
It starts by embedding itself in the Windows Startup Folders that creates a link to a Text document in the temp folder. Contained within the text document is a script that starts encrypting all documents.
There are a variety of ways that it gets into your system and one of them is through a Microsoft Word Dropper that is part of a phishing campaign delivering a malicious Microsoft Word document (.docm). In this sample, the malware author tricks the user into clicking the “Enable content and Enable Editing” ribbon using a warning that Microsoft Word’s features will be disabled after a certain date
The big thing is whenever you see the Words “Enable Content” is to be extremely suspicious. IT’S THE MOST DANGEROUS QUESTION/BUTTON YOU CAN CLICK ON TO ALLOW MALWARE TO RUN ON YOUR COMPUTER
So the question is, what can users do to ensure that they are protected?
At this stage there is no definitive protection, but you can do the following:-
- Install a full version of Malwarebytes or SpyHunter
- Do a regular Disk Clean Up to clean up the Temp Folders, although in this case the disk cleanup would have to be performed in safe mode
- Have Multi Layered, incremental onsite and offsite backups
- Keep your antivirus program up to date
- Alert your IT Support team as soon as you notice that something looks strange
- DO NOT CLICK ON ENABLE CONTENT OR HIT THE X TO CLOSE A PROGRAM
The biggest thing to remember is that the sooner you respond to a suspected Ransomware attack the easier it is to nip the problem in the bud and get back up and running with minimal down time and lost data. If in doubt at all, shut your machines down and contact your team.