Image courtesy of FireEye
The danger of ransomware is escalating and affecting many individuals and industries. [1] The main vector to distribute this type of malware is through email. Often the phishing email contains, as an attachment, a Word document that requests that the recipient “enable editing and content “ (effectively enabling macros) in order for the recipient to be able to read it. [2] If this done, the malware starts its process to encrypt files and provides messages to explain how they can be recovered.
In almost all recent cases, the file types involved in ransomware have been Word docs, Adobe pdf and graphics files.
In many cases, the files attached to the email are opened by individuals who are concerned or curious about the contents – they don’t do this unthinkingly. The criminals involved in this type of threat are becoming very good at the social engineering of their emails to convince even experienced business executives to open the files and enable the malware to execute. Even with media warnings about this type of malware individuals are still opening files purporting to be invoices or e-tickets because they are concerned that this is something that is important to them in some way.
As it turns out, once the recipient sees the actual content/text/image of the fake files they realize (in most cases too late) that the document is not relevant to them – it is spam or a hoax or involves something unknown to them. So if the individual can see the document or image in question in a “safe” and non-vulnerable and read-only application, they will be able to determine its relevance and if it requires them to subsequently open it in Word or Excel or PowerPoint, etc.
If we can look at the text of the document in a safe environment, we will be able through our normal critical review of content to mitigate the ransomware risk.
Most folks have been exposed to warnings and articles about how to protect yourself from this type of malware: keep current and protected back-ups, keep anti-virus apps updated, don’t open suspicious documents. The reality is that most people want to open the file to see if it is important to them. The objective of this prelude is to offer a simple and safe process to open attachments and files that are suspicious and/or unexpected without endangering your system. Here it is.
Google provides both their Drive and Docs/Sheets/Slides applications free to us. These applications are web based and the files are opened in the Google Drive space and not on your device. Files on the Drive can be opened with Preview, Docs, and other pdf applications. So if you are a Gmail user, rather than downloading a file immediately onto you device, it is easy to either open the file with Docs (if it is a Word/Excel/PowerPoint file) or upload it to Drive and open it there with Preview. In this way you can look at the file without risk of it infecting your device. If the file insists that it is to be opened in, say, Word, I would think this is a big red flag of danger. Don’t do it. If a partner or customer sends such a file, send them a link to this article! If the file content looks legit, you can download it to your device.
Gmail attachment options
Once the file is on Drive, if you want to share just the text or image of it with others safely, you can download it as a pdf, rtf, or text file. In these forms, the file text or image can be shared without the potential embedded exploit.
Drive download options
The other benefit of this approach is that Google provides free file scanning before the file is downloaded. So if this file has been seen before and tagged as malicious, it will not be downloaded.
Virus scanning: Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, users can’t share the file with others, send the infected file via email, or convert it to a Google Doc, Sheet, or Slide, and they’ll receive a warning if they attempt these operations. The owner can download the virus-infected file, but only after acknowledging the risk of doing so. https://support.google.com/a/answer/172541?hl=en
For folks that are on enterprise systems and use Exchange for email, this approach is a bit more intrusive – but still effective. You need to setup a free Google Drive account and upload any suspicious files to the Drive and then open them there before opening them on your device in Word/Excel/Adobe Reader/etc. Don’t open the original file on your system until you are satisfied the contents are appropriate to you and your job. For example, if the invoice looks strange and you want to get another opinion, download it from Drive as a pdf file or print it and advise your IT team that you have a suspicious file
Once you get familiar with Drive and the up and down loading, this is a simple and quick process – well worth trying.
So here is my suggestion to help reduce your exposure to ransomware:
Only open any unknown/unexpected file using Google Docs or Preview
Tom McHale www.stoneturnerllc.com 26 April 2016
[1] http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016
[2] https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/
