News & Blog

Ransomware Found Hiding in Google Docs

By Francis West on 20th July 2016

In the world of Cyber Crime, malware has proven to be a persistent and potent threat in recent months. Hot on the heels of ‘Locky’ and ‘Raa’ ransomware comes a new variant of ransomware which has recently been discovered hiding in Google Docs.

‘Cute’ It Is Not.

This latest ransomware threat has been ironically dubbed 'cuteRansomware'. Internet Security experts say it is a Chinese variant of a ransomware package published a few months ago on GitHub known as 'my-Little-Ransomware'.

Ransomware is a form of malware that typically encrypts important files on the victim’s computer so that they are locked out of them. A demand for money is then issued to the victim in exchange for a key to a release the files.

This kind of malware attack has dramatically increased in recent months with criminals finding many different and new ways to help the ransomware to beat the user’s security measures.

How Cute Works.

The cuteRansomware recently discovered by security researchers works in a similar way to other known ransomware programs but has some key differences that enable it to beat the victim’s security. For example, Cute:

  • Infects the victim’s computer in the first place via a drive-by download i.e. via a security flaw in a browser, app or an out of date operating system.

  • Uses Google's own security to bypass the victim's firewalls, thereby leaving the attacker free to encrypt the end-user's files at will. Google Docs is therefore used as a data transmission vector, and a Google Docs form is used to relay details to the attacker. These details include RSA encryption keys and the name of the victim's computer.

Why is Using Google Docs So Effective?

Just as ‘Raa’ was written in Javascript in order to stop it triggering Windows security warnings or requiring administrator access to run, by using Google Docs cuteRansomware benefits from the default HTTPS network data transmission over SSL that Google Docs has. These elements can easily beat firewalls, intrusion prevention systems, or next generation firewalls thus giving the attacker an effective way in.

Unfortunately, traditional detection tools still lack visibility into SSL meaning that those deploying cute are at an advantage at this point in time.

Fewer File Types

One small plus point is that the cuteRansomware variant seeks out and encrypts fewer file extensions than the ‘my-Little-Ransomware' that it was developed from. It is still however likely to target the most popular file extensions, thereby making it able to do a very effective job of locking the user out of their own important files.

What Does This Mean For Your Business?

As more businesses move things into the Cloud this latest ransomware indicates that Cyber Criminals will be moving there too, using the cloud for delivering malware and exfiltrating data via command-and-control.

As with any malware risk the trick for business is not to get infected in the first place.

Businesses need therefore to raise awareness among staff that they all need to be very careful about opening emails with attachments and / or emails from sources that are not familiar.

Keeping computer updates, patches, and anti virus software up to date is also very important, particularly in the case of cute. Having a reliable, secure back up of your important files and folders is also advisable if not essential.