Early variants of a self-replicating ransomware implemented entirely in VBA macros were discovered last week.
Samples of the ransomware dubbed “qkG Filecoder” were uploaded to VirusTotal from Vietnam and contain some comments in Vietnamese. Researchers described the ransomware as a classic macro malware infecting Microsoft Word's Normal template (normal.dot template) upon which all new, blank Word documents are based, in a 22 November Trend Micro blog post.
The first sample was spotted on 12 November and didn't even have a Bitcoin address, though it had one two days later, with the latest variant using a routine that encrypts a document on a specific day and time. Researchers have since seen samples that use different behaviours. When the ransomware did get a Bticoin address, researchers noted that it still didn't have any transactions on it.
Researchers said “qkG filecoder stands out as the first ransomware to scramble one file (and file type), and one of the few file-encrypting malware written entirely in Visual Basic for Applications (VBA) macros,” in the post. “It's also one of the few that uncommonly employs malicious macro codes, unlike the usual families that use macros mainly to download the ransomware.”
Other notable behaviours include encrypting the document's contents but leaving the file structure intact and the filename unchanged and affecting ActiveDocument meaning only the opened documents will be encrypted.
The ransomware's use of malicious macros is similar to techniques employed by a .lukitus variant of Locky ransomware that uses the Auto Close VBA macros. Researchers said the ransomware was likely still an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild and that they expect to see its techniques rehashed, broadened, and repurposed for other cyberattacks.
Users can significantly reduce their risks of macro-based malwares such as this one by using cyber-security hygiene and applying best practices against ransomware by keeping systems and applications updated, frequently backing up data, and restricting the uses of tools and features that can be used as attack vectors.