New Ransomware Exploits Excel Format

John Lister's picture

A new ransomware variant takes advantage of a Microsoft Excel feature. It's a good reminder to keep security software up-to-date.

The variant has been reported by security company Lastline. It involves a known ransomware called Paradise that operates in the familiar fashion: the attackers find a way to get remote access to a computer then encrypt files and demand a fee to restore access - sometimes in the tens of thousands of dollars, or much higher.

In this case, the attackers try to trick victims into opening a file attachment that creates the opening for accessing the machine. The difference here is that the file is in IQY (Internet Query) format. (Source: lastline.com)

That's a text file that's opened and used by Microsoft Excel and instructs it to retrieve data from the Internet. A common way to use it is to access stock prices, for example in a spreadsheet that calculates the current value of an investor's portfolio.

Lastline says the attackers appear to be using the IQY file to download an Excel formula that accesses a system process. That in turn lets it tell the computer to do something - such as accessing and encrypting files.

Malware Scanners May Miss Attack

The company says the use of IQY format creates a double risk, particularly for business users. Firstly, it's a legitimate file format that has practical uses, so many security programs won't automatically block it or treat it as suspicious.

Secondly, because the IQY file itself doesn't actually do anything on the computer (other than retrieve the online data), it might not be caught by some malware scanners that analyze attachments.

Researchers at Lastline allowed a test machine to get infected, then contacted the attackers through an online chat tool as instructed but didn't get a reply. That could be because the attackers spotted who was contacting them, or it could be that the campaign of attacks is still in development.

Former Soviet Languages Whitelisted

The researchers didn't find out much about who was responsible. However, they did notice that the ransomware was set up so that it didn't encrypt files on computers where the language was set to Belarusian, Kazakh, Russian, Tatar or Ukranian. (Source: zdnet.com)

Users who have detailed access to their security tools, such as office administrators, could add IQY files to the list of formats that should trigger suspicion. For home users, security software companies may update their tools in response to the report, so it's worth checking for updates or switching automatic updates on.

What's Your Opinion?

Have you ever used an IQY file? Would you normally be suspicious if you received one as an attachment? Do you have a theory about the language aspect of the ransomware?

Rate this article: 
Average: 5 (5 votes)

Comments

jamies's picture

Hi there
Having read the article, and realised that I (AFAIK) do not use IQY files, I thought - maybe an easy way to make my system safer (safer, not safe) would be to stop the IQY file types being directed to Excel by the OS.
Simply create an empty file (.txt) and rename it to .IQY type then
select it (right click) select openwith and choose Notepad as the always use app)

So is that an appropriate action? - or is it pointless and I should just redo the win-10 association with Excel?

mark_w8's picture

I think that's a simple idea, and probably would work. I just created temp.iqy, and then did "Open with..." and chose my text editor program (and then I confirmed it is now the default app for that extension).

David's picture

I've worked with Excel for over 20 years, with queries, automations, and the like, and only once ever had a reason to save a query definition as an external IQY file separate from the worksheet it was intended for. I'm going to recommend this option to our IT manager. Now where's the Thumbs Up emoji on a Windows keyboard?

jamies's picture

Mark, David,
Thanks for your responses.

I was hoping for a confirmation from the article poster, or someone on the infopackets staff -
But seems that we are apparently expected to be a self help group.