Researchers from Trend Micro have discovered a new ransomware which encrypts only word documents and propagates itself to new word files which are being opened through the same office suite on the same computer.
But the good news is that the said malware is, still under development and has not made any victims till date.
Security Researcher Jaromir Horjsi from Trend Micro revealed a few technical details about the malware through our publication today. Horjsi said that the new ransomware named qkg was discovered at the start of this month in a heap of digital files which were being uploaded to Google’s VirusTotal File Scanner. And the malware spread is taking place in the following way-
• First, the user downloads and opens infected word documents
• He/she then enables editing button which allows the execution of macro scripts which is, in this case, is a VBA code attached to the document.
• As qkg is contained in the macro script, it uses the onClose function to execute the malicious part of the macro code when the user closes the word file. And this is when the malware spreads to other files locking them from further access.
• And if in case, the user shares one the infected documents with others, and if they enable macros, they will infect their MS word documents too.
Jaromir said that he found different versions of ransomware uploaded to Google’s VirusTotal on several occasions. Some displayed new characteristics with each version, while some remained completely inactive or have been removed.
As the qkg ransomware contains Vietnamese words and was uploaded to VirusTotal from an IP address hosted by a Vietnam ISP, the security researcher from Trend Micro suspects that the developer of qkg ransomware is from Vietnam.
Note- VirusTotal is a free online web service that analyzes files and URLs to identify the virus, worms, Trojans and other kinds of malicious content which remain undetected by antivirus engines and website scanners. It was operating as a Spanish security company since 2004 and was acquired by Google in September 2012.
