'Locky' ransomware exploits Windows DDE weakness
'Locky' ransomware exploits Windows DDE weakness
While ransomware is not a new threat, the latest variant of Locky has been tailored to exploit a glaring long-term vulnerability in Windows that Microsoft has publically stated that they will not address, making the attack undetectable using traditional cyber-security software. It uses Microsoft's Dynamic Data Exchange (DDE), a feature that allows the transfer of data between Windows applications, and almost exclusively used to point to data sources inside a network. Hackers have discovered how to use DDE to distribute ‘weaponised' Office documents posing as legitimate documents such as invoices which contain ransomware. All the unsuspecting member of staff has to do is to open the innocent-looking attachment to compromise the entire organisation's database.

The problem is that DDE is pretty old technology, dating back to the pre-internet days of the 1980s, which allows today's cyber-criminals to instantly execute links in a document once a victim opens it. Microsoft has replaced DDE with the more modern Object Linking and Embedding (OLE) technology. However, Microsoft has said it will continue to support and not remove DDE as an Office document feature despite its acting as a highly effective exploit method for cyber-criminals.

And, as DDE continues to be a legitimate feature, it needs to be surgically removed, something beyond the capability of traditional anti-virus or security scanning systems. The only solution has been the one cyber-security specialists Glasswall applies through a unique file regeneration process, which is able to filter out files containing this feature amongst any other new and emerging threats. As phishing and ransomware attacks succeed as a result of staff members opening attachments or links that deliver malware, Glasswall's Email File Protection Platform integrates seamlessly with companies' existing security architecture to provide a ‘last line of defence' that proactively manages the risk that email attachments pose to the organisation. Users open secure email attachments without the fear of malware or ransomware, and the organisation continues without the disruption from cyber-threats.

Windows' underlying DDE security flaw is now one that affects almost every organisation receiving email attachments that reach users inside the organisation. Only a tiny percentage - those using cloud based computing such as O365 - remain largely unaffected. Already there are reports of ransomware demands being made following successful security breaches using Locky to exploit Windows' DDE vulnerability. Industry estimates from Cybersecurity Ventures * are that ransomware damage costs are around US$ 5 billion (£3.7 billion) a year and are predicted to exceed US$ 11.5 billion (£8.5 billion) annually by 2019. Even this could be an underestimate. But the full-scale of the problem is difficult to gauge as few companies report successful ransomware attacks for fear of frightening off customers and investors. 

And there is growing case evidence that ransomware attacks and outbreaks are becoming increasingly ambitious. Exactly a year ago, a ransomware attack hit San Francisco's public transport system, infecting over 2,000 of the Municipal Transport Agency (MTA)'s computers. The affected systems included administration computers, email and print servers, payroll systems, databases, staff terminals, and publicly visible station kiosk PCs – there was no hiding the effect of ransomware from the citizens of San Francisco, who went viral on Twitter sharing pictures of infected computers displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601”. 

Rather than meet the 100 Bitcoin (£985,000 at current rates - though nearer £55,000 at the time)) ransom demand for the decryption key, the MTA opened the transport system's fare gates and immediately contacted the Department of Homeland Security. But although the MTA behaved in an exemplary fashion by refusing to give in to the cyber-criminals, organisations forced to pay ransomware often hide the fact. The financial industry, for instance, has long been a target for all varieties of ransomware but the banks have not been obliged to reveal data breaches. 

However, from May the situation is set to alter radically with introduction of the European Union (EU)'s General Data Protection Regulation (GDPR). Despite Brexit, the UK has agreed to comply with the GDPR. Among other things, GDPR makes it mandatory to report significant cyber-breaches immediately. Failure to do so makes the firm concerned liable to a draconian fine of up to four per cent of the company's global turnover, something organisations need to be reminded to ensure they are not just lazily following ‘best practice' but proactively seek out new and innovative technologies to stay ahead of attackers.

Recent high-profile hacks which the companies affected sat on for some time such as Uber and the recently revealed Equifax hack, which compromised the details of at least 700,000 UK consumers, would have potentially made those companies liable for significant fines in the hundreds of millions had the security breaches taken place after May next year. If it had appeared that they had not taken sufficient cyber-security precautions or had not disclosed the security breach quickly enough, the results could have been potentially devastating. In Equifax's case, the fine would have been as high as £94 million. In Uber's case, it could have been as high as £190 million. In addition to the fiscal and reputational damage, organisations failing to comply with GDPR could also see jail sentences handed out to those executives held responsible.

There is now an increasing focus on DDE vulnerabilities that will make it hard for the executives of firms which have been breached in this way or forced to pay ransomware to plead ignorance of such a glaring and well-reported security weakness. Microsoft, for example, recently tweeted a warning that cyber-criminals might be using DDE to deliver malware during the Christmas online shopping season.

Companies wishing to avoid any future variants of ransomware can no longer just rely on cyber-breach recovery programs as a means of insurance.  Best practice should evolve into taking proactive measures to secure their organisation against damaging cyber-security breaches before they happen, there is no option but to take firm control of all incoming email attachments, particularly those exploiting vulnerabilities in Windows' DDE vulnerability.

By Lewis Henderson, VP of Threat Intelligence, Glasswall Solutions

Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media

*Cybersecurity Ventures