On Tuesday, researchers from Reversing Labs reported a new version of the AstraLocker ransomware being distributed by phishing attachments. The attached Word document contains the ransomware executable itself (called “WordDocumentDOC.exe”) as an Object Linking and Embedding (OLE) object and asks the user to click and run it.
The researchers referred to this style of attack as a “smash and grab;” the attackers aren’t looking to infect entire domains, just cause enough disruption to elicit the small payments they request. This indicates that the attackers are low-skill, which is typical of users of leaked ransomware source code.
This attack requires a significantly higher amount of user interaction than normal payloads; the user must open the word document, double-click the OLE, and then click Run on the subsequent security warning. Typically, attackers using Microsoft Office documents use macros to infect machines, since it only requires users to click the Enable Macros button after opening the attachment. User awareness and training may protect against this, but technical controls should be implemented to further mitigate the risk. For example, email attachment scanning is a component of many email security software suites. Companies can also implement application allow-lists to prevent unauthorized executables from running.
In typical attacks, the initial infection is usually designed to gain a foothold on the network and pivot to more systems to cover as much of the environment as possible. However, this version of AstraLocker only infects the system in which the attachment was opened. Companies can protect against “smash and grab” style attacks like this by ensuring business-critical files are not stored on local machines and by building and maintaining a quick re-imaging process to expedite recovery.