The ransomware strain targets only Office documents, encrypting them and infecting the Word default document in order to propagate to newly created documents opened via the Office suite on the infected computer.
This new threat is unusual in the world of ransomware because it abides by a completely different and much more tightly targeted set of operating principles than any other form of ransomware found in the wild today. It’s also a bit of a throwback. The use of macros to spread worms is still fairly commonplace on older machines running out-of-date or pirated copies of Office, but it hasn’t really been in fashion in the mainstream hacking community for quite some time.
An analysis of the code reveals it to be a work in progress. The researchers were quick to point out the ransomware has not found any actual victims to date, and that several different variants and strains of the code were found in different documents, each with a different and slightly more robust feature set.
Based on evidence Horejsi found in the qkG samples he had the opportunity to analyze, the author of this new strain is apparently based somewhere in Vietnam, and goes by the alias “TNA-MHT-TT2.”
The malware is notable for its rather innovative use of malicious macros. Horejsi warns that these techniques will undoubtedly be picked up by other hackers, refined and used more broadly in the months ahead.
That’s likely to pose a special challenge for your IT security team, who have probably fallen out of the habit of watching for such threats, given that they declined in popularity some time ago. It seems, however, that what’s old has been made new again, so alert the troops to be ready.