Opinion: Rejuvenated ‘Locky’ ransomware is exploiting an old Windows DDE weakness - PC Retail

Opinion: Rejuvenated ‘Locky’ ransomware is exploiting an old Windows DDE weakness

By Lewis Henderson, VP of Threat Intelligence at Glasswall Solutions
Author:
Publish date:
Lewis Henderson

Lewis Henderson, Glasswall Solutions

A long-term vulnerability in Windows is being exploited by a newly-designed version of the infamous Locky ransomware that has been wreaking havoc over the last 18 months. It is a vulnerability that Microsoft has publicly stated it will not address, making the attack undetectable using traditional cyber security software.

The new threat employs Microsoft’s Dynamic Data Exchange (DDE), a feature that allows the transfer of data between Windows applications, and which is almost exclusively used to point to data sources inside a network. Hackers are using DDE to distribute ‘weaponised’ Office files posing as legitimate documents such as invoices. All the unsuspecting member of staff has to do is to open the innocent-looking attachment in order to compromise the entire organisation’s database.

The problem is that DDE is a very mature technology, dating back to the pre-internet days of the 1980s, which allows today’s cybercriminals to instantly execute links in a document once a victim opens it. Microsoft has replaced DDE with the more modern Object Linking and Embedding (OLE) technology. However, Microsoft has said it will continue to support DDE and will not remove it as an Office document feature despite its highly-effective exploitation by cyber criminals.

And, as DDE continues to be a legitimate feature, it needs to be surgically removed, something beyond the capability of traditional anti-virus or security scanning systems. The only solution has been through a unique file regeneration process, which is able to filter out files containing this feature among any other new and emerging threats.

Phishing and ransomware attacks succeed as a result of staff members opening attachments or links that deliver malware. An email file protection platform, which is integrated seamlessly with companies’ existing security architecture, will provide a ‘last line of defence’ that proactively manages the risk that email attachments pose to the organisation. Users open secure email attachments without the fear of malware or ransomware, and the organisation continues without the disruption from cyber threats.

Windows’ underlying DDE security flaw is now one that affects almost every organisation receiving email attachments that reach users inside the organisation. Only a tiny percentage - those using cloud based computing such as O365 - remain largely unaffected. Already there are reports of ransomware demands being made following successful security breaches using Locky to exploit Windows’ DDE vulnerability.

Industry estimates are that ransomware damage costs are around US$5 billion a year and are predicted to exceed US$11.5 billion annually by 2019. But even this could be an underestimate, since the full-scale of the problem is difficult to gauge as few companies report successful ransomware attacks for fear of frightening off customers and investors.

And there is growing case evidence that ransomware attacks and outbreaks are becoming increasingly ambitious. Exactly a year ago, a ransomware attack hit San Francisco’s public transport system, infecting over 2,000 of the Municipal Transport Agency (MTA)’s computers. The affected systems included administration computers, email and print servers, payroll systems, databases, staff terminals, and publicly visible station kiosk PCs – there was no hiding the effect of ransomware from the citizens of San Francisco, who went viral on Twitter sharing pictures of infected computers displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601”.

Rather than meet the 100 Bitcoin (US$73,000) ransom demand for the decryption key, the MTA opened the transport system’s fare gates and immediately contacted the Department of Homeland Security. But although the MTA behaved in an exemplary fashion by refusing to give in to the cyber criminals, organisations forced to pay ransomware often hide the fact. The financial industry, for instance, has long been a target for all varieties of ransomware but the banks have not been obliged to reveal data breaches.

There is now an increasing focus on DDE vulnerabilities that will make it hard for the executives of firms which have been breached in this way or forced to pay ransomware to plead ignorance of such a glaring and well-reported security weakness. Microsoft, for example, recently tweeted a warning that cyber criminals might be using DDE to deliver malware during the Christmas online shopping season.

Companies wishing to avoid any future variants of ransomware can no longer just rely on cyber breach recovery programs as a means of insurance. Concepts of best-practice must change to include proactive measures that secure an organisation against damaging cyber security breaches before they happen. There is no option but to take the initiative and actively sanitise all incoming email attachments, particularly those exploiting vulnerabilities in Windows’ DDE vulnerability.

Related