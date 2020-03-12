A new ransomware variant takes advantage of a Microsoft Excel feature. It's a good reminder to keep security software up-to-date.

The variant has been reported by security company Lastline. It involves a known ransomware called Paradise that operates in the familiar fashion: the attackers find a way to get remote access to a computer then encrypt files and demand a fee to restore access - sometimes in the tens of thousands of dollars, or much higher.

In this case, the attackers try to trick victims into opening a file attachment that creates the opening for accessing the machine. The difference here is that the file is in IQY (Internet Query) format. (Source: lastline.com)

That's a text file that's opened and used by Microsoft Excel and instructs it to retrieve data from the Internet. A common way to use it is to access stock prices, for example in a spreadsheet that calculates the current value of an investor's portfolio.

Lastline says the attackers appear to be using the IQY file to download an Excel formula that accesses a system process. That in turn lets it tell the computer to do something - such as accessing and encrypting files.

Malware Scanners May Miss Attack

The company says the use of IQY format creates a double risk, particularly for business users. Firstly, it's a legitimate file format that has practical uses, so many security programs won't automatically block it or treat it as suspicious.

Secondly, because the IQY file itself doesn't actually do anything on the computer (other than retrieve the online data), it might not be caught by some malware scanners that analyze attachments.

Researchers at Lastline allowed a test machine to get infected, then contacted the attackers through an online chat tool as instructed but didn't get a reply. That could be because the attackers spotted who was contacting them, or it could be that the campaign of attacks is still in development.

Former Soviet Languages Whitelisted

The researchers didn't find out much about who was responsible. However, they did notice that the ransomware was set up so that it didn't encrypt files on computers where the language was set to Belarusian, Kazakh, Russian, Tatar or Ukranian. (Source: zdnet.com)

Users who have detailed access to their security tools, such as office administrators, could add IQY files to the list of formats that should trigger suspicion. For home users, security software companies may update their tools in response to the report, so it's worth checking for updates or switching automatic updates on.

