Ransomware Targets Outdated Microsoft Excel Macros to Deploy Attacks

Published at: July 3, 2020

Microsoft Security Intelligence alerted users to a type of ransomware, called Avaddon, that uses Excel 4.0 macros to distribute malicious emails. These emails contain attachments which deploy an attack when opened in any version of Excel.

Avaddon ransomware emerged in early June through a massive spam campaign that randomly targeted its victims. Some patterns seem to indicate that the ransomware mostly targets Italian users.

Impersonating Italian officials

As BleepingComputer reports, the attackers behind the ransomware are recruiting “affiliates” to spread the payload. According to their analysis, Avaddon’s average ransom amount is around $900, paid in crypto.

The attack commonly impersonates officials from Italy’s Labor Inspectorate. Messages alert small businesses to alleged work violations during “a period of crisis,” referring to the COVID-19 pandemic.

Microsoft said in its Twitter profile:

“While an old technique, malicious Excel 4.0 macros started gaining popularity in malware campaigns in recent months. The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures.”

Avaddon’s messages warn about pending legal actions which will be taken if the user does not open the malicious document.

Numerous victims

A recent study by cybersecurity firm, Proofpoint, shows a recent increase in email-based phishing attacks used to deliver ransomware.

On July 1, Cointelegraph reported that a new ransomware was targeting macOS users who illegally torrent popular apps. The attack, known as EvilQuest, was first spotted by K7 Lab malware researcher, Dinesh Devadoss.

Tags
Related Posts
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Major Chilean bank shuts down all branches following ransomware attack
Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a cyberattack that turned out to be a ransomware launched by REvil. According to a public statement, the branches will remain closed for at least one day, but clarified that customers’ funds have not been affected by the incident. Citing sources close to the investigation, ZDNet reported that the REvil ransomware gang is behind the attack. It reportedly originated from an Office document infected with the malware that an employee received and …
Technology / Sept. 8, 2020
Ransomware Threatens Production of 300 Ventilators Per Day
The FDA-approved Coronavirus ventilator manufacturer Boyce Technologies has been targeted by ransomware launched by the DoppelPaymer gang, who are threatening to leak data from the company. Cointelegraph has viewed the DoppelPaymer blog, where the gang lists example files of the data stolen during the attack, including sales and purchase orders, assignment forms, among others. The cybercriminals have threatened that more information will be disclosed next week through the site if an undisclosed crypto ransom is not paid by the firm. Boyce Technologies is well-known for its work in designing and manufacturing FDA-approved low-cost ventilators in just 30 days during the …
Blockchain / Aug. 7, 2020
Aviation Database Struck By Unknown Ransomware Gang
Smartwatch maker and data-syncing service provider, Garmin, was the subject of a ransomware attack that took down several of its services on July 23, which managed to encrypt its internal network. According to a series of tweets published by the company, the Garmin Connect website and mobile app were affected by the hackers, plus the call centers and every customer support resources like replying emails, online chats, and handling calls. However, the nature of the attack was unveiled by ZDNet, who also stated that the cybercriminals also targeted flyGarmin, the company’s service that supports its line of aviation navigational equipment. …
Technology / July 25, 2020