Security researchers have spotted a new file encoding ransomware variant named qkG that targets Microsoft Word’s default template upon which all new, blank Word documents are based.
Jaromir Horejsi, Trend Micro security researcher who discovered the ransomware said that the new variant is implemented entirely in VBA macros.
He said that he first spotted the ransomware in the suspicious files uploaded by someone in the VirusTotal on November 12th.
You may be interested in reading: GIBON- a New Ransomware is Distributed via Malspam
In the first sample there was no bitcoin address, but after two days it was found with the bitcoin address and a routine that encrypts a document on a specific day and time.
From there onwards, researchers have spotted different versions of qkG ransomware with different features and behaviors.
“qkG filecoder stands out as the first ransomware to scramble one file (and file type), and one of the few file-encrypting malware written entirely in Visual Basic for Applications (VBA) macros. It’s also one of the few that uncommonly employs malicious macro codes, unlike the usual families that use macros mainly to download the ransomware.” said in the blog post published by Trend Micro.
Working Of qkG Ransomware
The working of qkG ransomware is different from other similar types of threats.
When a user opens the infected word file and clicks ‘open editing’ button which then executes the VBA code attached to this document.
Here the ransomware encrypts the file’s content when the user closes the file by using the onClose function to execute the malicious part of the macro code.
When the user closes the files, the malicious macros lower the Word’s security settings, so it does not ask the user to enable macros, and the protected view also will be deactivated.
The file is encrypted using a simple XOR cipher and encryption key is always same. The encryption is also included in each encrypted document.
A ransom note will be added in the end of the document containing an email id and bitcoin address. The ransom amount demanded is $300 in the latest sample found.
Here the ransomware does not change/add any extension or change the filename but add a Document_Open() autostart macro to the encrypted document and copies its body.
So whenever the user opens Word again, it will execute the modified normal.dot template containing malicious code and when the user creates any document, that file content also will be encrypted by the ransomware. If the infected Word file is shared and opened by another user, they will also be infected.
The ransomware is still under development, and till now the technique is not exploited widely. Users are advised not to try clicking or downloading any suspicious files sent via email to avoid infection.
Read more on NIST Guidelines for Dealing with Ransomware Recovery