Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
The good news is that this ransomware is still under development and has not made any victims in the real world just yet.
Trend Micro security researcher Jaromir Horejsi spotted qkG at the start of the month in the mountain of suspicious files uploaded to Google's VirusTotal file scanner each day.
qkG is an oddity on the ransomware scene because it works very differently from similar threats. A typical qkG infection goes through the following steps:
Step 1: User downloads and opens infected Word document.
Step 2: User clicks "Enable Editing" button which allows the execution of macro scripts, which in this case is VBA code attached to the document.
qkG is entirely contained within the macro script, an oddity, since most ransomware threats only use macros to download and run their main binary.
Step 3: The qkG code runs, but nothing happens. This is because qkG uses the onClose function to execute the malicious part of the macro code (the actual qkG ransomware) when the user closes the Word file.
The qkG author might have gotten inspiration from a Locky campaign that took place over the summer that also used the onClose function inside Word macro scripts to download and run the Locky ransomware.
Step 4: The malicious code that runs after the user closes the infected Word file does the following:
The biggest problem with qkG is that it modifies the normal.dot template and appends a copy of itself to it. This means that whenever users start Word again, the modified normal.dot template with the malicious code is loaded and executed, running the ransomware with any other file users open, encrypting those files as well.
If the user shares one of these documents with other users, if they enable macros, they will infect their Word instance as well.
The good news is that the XOR-based encryption is trivial to bypass. Current versions of the qkG ransomware come with a hardcoded decryption key of "I’m QkG@PTM17! by TNA@MHT-TT2".
In Trend Micro's qkG report, Horejsi says he spotted different versions of this ransomware uploaded over time on VirusTotal.
Each version contained new features, some of which are now being used by the latest version, while others remained inactive, or have been removed.
It is quite evident that qkG is an in-dev ransomware because first versions didn't even include a Bitcoin address where users could pay the ransom fee.
Subsequent versions added a decryption routine, but this was never activated in the code. This means that if qkG would infect real-world users, the ransomware wouldn't be able to decrypt infected files.
Another feature that was never activated is an encryption routine that targeted data stored in the user's clipboard. One other qkG version only encrypted files at a specific day of the week and at a specific time.
Based on evidence Horejsi found in the qkG samples, the malware author goes by the name of TNA-MHT-TT2 and appears to be based in Vietnam.
qkG code contained Vietnamese words and the qkG samples were all uploaded on VirusTotal by a user with a Vietnamese IP address.
While qkQ has not been seen in live infections just yet, "qkG’s unique use of malicious macros is still notable," according to Horejsi, "and like other ransomware families, we expect this technique to be rehashed, broadened, and repurposed for other cyberattacks."