Cerber Ransomware Hits Office 365 Users

Malicious macro exploits have been a security issue for Office users since the day macros were introduced, and the newest malware to take advantage of this vulnerability is the Cerber ransomware.

However, there are lots of legitimate workflow macros, so you cannot by default disable all macros in all Office programs. In the past, you could create trusted macro locations within your network or system to add a layer of protection and prevention from malicious macros running:

GPO- Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

The latest threat, though, with the added use of cloud locations, makes it harder to control and disable external document macros. While there is now an option to block macros from running in Office files from the Internet, unless users save the trusted cloud documents to a local path — which must be designated as trusted in the GPO or system — then it still may block legitimate work macros. So, short of blocking important workflow macros you may need, you will need to plan accordingly and remind the users what’s safe to open and when to double check.

The latest and worst macro exploit now triggers the Cerber ransomware, which can veritably thrash your data and systems.

Spam and phishing emails with this malicious attachment are currently targeting Office 365 users due to the fact that they know they have the Office suite to open the attachment macros that trigger the malware. The ransomware depends on the user to open the exploitative macros through “Enable Editing” and “Enabling Content” in the attachment. Here is an example of what one looks like:

cerber ransomware

Cerber ransomware has been around since March, but the Office 365 and cloud-based targeting only just begun recently. Victims see a ransomware note and the malware will also read aloud a note stating that their files have been encrypted.

Cerber uses AES-256 encryption and the victims are asked to pay about $800 U.S. dollars’ worth in Bitcoin. If you don’t have a recent backup, your only recovery option may be to pay the ransom if critical data is encrypted. Of course, there is no actual guarantee they will honor the payment agreement.

If you are not using additional safeguards outside of what is provided by Microsoft, you could be at risk. We recommend you implement the following to help prevent ransomware from infecting your system:

  • Spam filtering
  • Firewalls
  • DNS filtering (such as OpenDNS)
  • Content filtering
  • Antivirus/antimalware
  • Group Policies to manage trusted locations
  • Employee policies that outline how to open external documents
  • Backups (potentially ones that are not connected to the network)

If you need further assistance with implementing the above or if you are compromised, you can send us an email or give us a call at 502-240-0404!