Machine identity management company Venafi has published new research suggesting that 87% of ransomware found on the dark web was delivered via malicious macros to infect targeted systems.
The article is the result of a collaboration with Forensic Pathways, which between November 2021 and March 2022 analyzed 35 million URLs from the dark web, including marketplaces and forums, using the engine dark search engine from Forensic Pathways.
The results reportedly revealed 475 web pages of elaborate ransomware products and services, as well as numerous high-profile groups aggressively marketing ransomware as a service (RAAS).
Forensic Pathways has also identified 30 different “brands” of ransomware, with some household names such as BlackCat, Egregor, Hidden Tear and WannaCry having been successfully used in large-scale attacks.
The research also suggested that Ransomware strains used in large-scale attacks command a higher price for associated services.
“For example, the most expensive listing was $1262 for a customized version of Darkside ransomware, which was used in the infamous 2021 Colonial Pipeline ransomware attack,” the report read.
Similarly, source code listings for well-known ransomware typically fetch higher prices, with Babuk source code listed for $950 and Paradise source code selling for $593.
For context, macros are typically used to automate common tasks in Microsoft Office, but they can also be exploited by attackers to deliver malware.
To mitigate the impacts of such attacks, in February Microsoft announced that they would block Office macros downloaded from the Internet by default, but they later temporarily reversed this decision in response to community feedback.
“Since almost anyone can launch a ransomware attack using a malicious macro, Microsoft’s indecision about disabling macros should scare everyone away,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.
“While the company changed course a second time on disabling macros, the fact that there was a backlash from the user community suggests that macros may persist as a mature attack vector. .”
At the same time, Bocek thinks that to eliminate the threat of macro-enabled ransomware, it is enough to use code signing.
“Using code-signing certificates to authenticate macros means unsigned macros can’t run, stopping ransomware attacks in their tracks,” he explained.
“This is an opportunity for security teams to scale up and protect their business, especially in the banking, insurance, healthcare and energy industries where macros and Office documents are used every day to inform decision-making.”