Check Point has detected a new ransomware attack targeting Australian users of Office 365. The malware takes advantage of a zero-day attack. It has not been disclosed which ransomware variant is involved.
In an interesting twist the attackers want paying in Australian Dollars. This use of local currency is strange as there is no guarantee of anonymity when paid. It is possible that the cybercriminals are hoping that those affected will be too embarrassed to call the police. While this might give the impression that this is amateur hour, it is not. The ransomware is apparently beginning to catch out an increasing number of users.
How is it spread?
There is no surprise in that this is yet another attack using an email attachment. The email suggests this is an invoice that needs paying. Opening the document will cause it to execute code to install the ransomware. On machines where macros are disabled the document will claim to be in an older version of word that needs updating. The user is then asked to click on a box to update the document in order to view it. If the user clicks the box the malware is activated and the user is infected.
At the moment this is a 1:1 attack with just the user who opens the infected attachment being targeted.
Conclusion
Once again this is an attack using an email attachment. Preventing infection is simple, only open files from a known source. Check Point has not said if the infected attachment can be detected when it first arrives in email. If so, then users need to update their anti-malware software to improve detection.
