Closing a Word Document Could Infect Your Computer With Locky Ransomware

Cybercriminals have not given up on the idea of distributing Locky ransomware. Although most of the distribution methods in place today are being used by virtually everyone, there is a new solution being utilized by a few criminals. They now distribute the Locky ransomware payload through a modified Microsoft Word file, which will only be triggered once the document is closed. This is a new spin on the traditional “Word macro” distribution method we have seen used so often in recent years.

A New Way to Distribute Locky Ransomware

The Microsoft Word software suite allows criminals to execute many things that should not be theoretically possible. Installing malware by forcing users to enable specific macros to view content in a document and distributing the malicious payload that way seems to work just fine. However, since almost every ransomware distributor is using this method, the average consumer is slowly becoming aware of this problem and the threat it poses.

The latest Locky ransomware distribution campaign still relies on Microsoft Word documents. That in itself will not change anytime soon, as criminals have come up with a new way to successfully exploit a few other options at their disposal. The newest method uses Word documents laden with Locky malware which will only trigger the payload download and execution once the documents are closed. This is a pretty unique way to deliver a payload since it is not something that has been explored up to this point.

Similar to the previous distribution method, this Microsoft Word campaign still relies on macros. It seems these macros are of particular concern to Microsoft, as the criminals have found a way to make them useful to execute code when a document closes. It still relies on executing a macro within Word itself, and the user still needs to enable macros in order for it to succeed. However, it has nothing to do with displaying content per se, as the document itself displays information.

This also makes a major difference for any security software that may be installed on the victim’s computer. Since most software now blocks malicious macros in Word documents when it comes to displaying content, an on-close Macro is the new go-to solution. A lot of sandboxed environments allow Word macros by default. Now that these new types of documents appear to be completely harmless, they can still infect computers by flying under the radar.

This new Microsoft Word campaign is not the only Locky distribution method to keep an eye on. Another researcher has discovered that there is a fake Dropbox email phishing method being employed right now. Once a user clicks on the link in an email, he or she is redirected to a spoofed website which will install the Locky payload on the target computer. Criminals will continue distributing Locky for quite some time to come; that much is obvious.

With so many “affiliates” distributing one of the more destructive types of malware, the future is looking pretty bleak. It seems as if the war against ransomware is not evolving in favor of the potential victims. Criminals remain at least two steps ahead of security researchers in this ongoing cat-and-mouse game. Locky has been one of the top ransomware types for quite some time and it will not necessarily go away overnight. With this new Microsoft Word macro trick, things will only get more confusing and dangerous for computer users.