The figures that show why Microsoft is so worried about Office macros
Most ransomware is deployed through macro-laden files
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Newransomwarefigures from Venafi and Forensic Pathways have shed some light on to whyMicrosoftis currently so worried about thesecurity of Office macros.
Over the course of five months (November 2021 to March 2022), the two companies analyzed 35 million dark web URLs, including marketplaces and forums for ransomware products and services, finding that almost all (87%) of the ransomware found on the dark web has been delivered toendpointsvia malicious macros.
The two companies identified a total of 30 differentmalwareproducts, including Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear, and WannaCry.
Macros as a ransomware launchpad
Not all ransomware was created equal, however. Those used in high-profile attacks cost more so, for example, the Darkside variant used in the Colonial Pipeline attack cost $1,262. Source code for popular ransomware is also relatively expensive, the researchers found, with Babuk’s source code going for $950, while Paradise’s sold for $593.
Macros are an important feature for every advanced Office user, as they allow the files to pull data from the web, automatically, and update the contents autonomously. Given the nature of the tool, it was being abused by threat actors for years, until Microsoft decided to prevent macro-carrying files downloaded from the internet from running in the first place.
“Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft’s indecision around disabling of macros should scare everyone,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector.”
Microsoft Office is now blocking macros by default>Hackers have found a new way to hijack your Discord account>Free and paid options for the best firewall software to stay protected online
The findings, Venafi argues, are a strong argument for machine identity management control planes, which would drive specific business outcomes such as observability, consistency, and reliability. Code signing, it says, is a “key machine identity management security control” that helps eliminate macro-powered ransomware attacks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks,” Bocek concludes. “This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making.”
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday
