Dark Web Research Reveals 87% of Ransomware are Distributed Through Malicious Macros

Leading Machine Identity Company, Venafi, published a new research on based on the dark web. According to the research, over 87% of the ransomware found on the dark web were delivered through malicious macros.

Macros are commands used to automate repeated tasks in Microsoft Office. Although attackers can use replace macros with viruses with the intention to infect the systems of their targets. When infected, it is usually embedded into a document and can spread to other documents. Unfortunately, not all malicious macros can be detected though anti-virus software but there are other products that detect malicious macros.

The report is the result of a collaboration with Forensic Pathways. They analyzed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathway Search Engine. More findings included 475 web pages of ransomware products and services with high-profile groups agressively marketing ransomware-as-a-service(RaaS).

Additionally, Forensic Pathways identified 30 different ransomware groups with some popular names such as BlackCat, Egregor, Hidden Tear and WannaCry. The research suggested ransomware products used in high-profile attacks had higher prices on dark web for related services. According to the research, the most expensive listing was the customized version of Darkside ransomware which was for sale at $1262. The ransomware is known to be responsible for the Colonial Pipeline ransomware attack of 2021.

Similarly, source code listings for well-known ransomware also had higher costs. Babuk source code was listed for $950 and Paradise source code for $953.

According to Infosecurity, Microsoft announced the default blocking of Microsoft Office macros downloaded on the internet. In response to a community feedback, the decision was suddenly reversed.

Kevin Bocek, the vice president of security strategy and threat intelligence for Venafi said, “Given that anyone can launch a ransomware attack using a malicious macro, Microsoft’s indecision around disabling of macros should scare everyone. While the company has switched a course on disabling macros, the fact that there was a backlash from the user community suggests that macros could persist as a ripe attack vector.”

Moreso, Bocek believes the use of code signing for macros coud eliminate the malicous macros. He explained, “Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in their tracks. This is an opportunity for security teams to step up and protect their businesses. Mostly in banking, insurance, healthcare and energy where macros and Office documents are used everyday to power decision making.”