Dark Web Research Suggests 87% of Ransomware Brands Exploit Malicious Macros

Machine identity management firm Venafi has published new research suggesting that 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

The paper is the result of a collaboration with Forensic Pathways, which between November 2021 and March 2022 analyzed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine.

The findings reportedly uncovered 475 web pages of elaborate ransomware products and services, alongside many high-profile groups aggressively marketing ransomware-as-a-service (RAAS).

Forensic Pathways also identified 30 different “brands” of ransomware, with some known names such as BlackCat, Egregor, Hidden Tear and WannaCry having been successfully used in high-profile attacks.

The research also suggested Ransomware strains used in high-profile attacks command a higher price for associated services. 

“For example, the most expensive listing was $1262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021,” read the report.

Similarly, source code listings for well-known ransomware generally cost higher prices, with Babuk source code listed for $950 and Paradise source code selling for $593.

For context, macros are typically used to automate common tasks in Microsoft Office, but they can also be exploited by attackers to deliver malware.

To mitigate the impacts of such attacks, in February, Microsoft announced the default blocking of Office macros downloaded from the internet, but they then temporarily reversed that decision in response to community feedback.

“Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.

“While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector.”

At the same time, Bocek believes that to eliminate the threat of macro-enabled ransomware is sufficient to use code signing.

“Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in their tracks,” he explained.

“This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making."

What’s Hot on Infosecurity Magazine?