The figures that show why Microsoft is so worried about Office macros

(Image credit: Shutterstock / binarydesign)

New ransomware figures from Venafi and Forensic Pathways have shed some light on to why Microsoft is currently so worried about the security of Office macros.

Over the course of five months (November 2021 to March 2022), the two companies analyzed 35 million dark web URLs, including marketplaces and forums for ransomware products and services, finding that almost all (87%) of the ransomware found on the dark web has been delivered to endpoints via malicious macros. 

The two companies identified a total of 30 different malware products, including Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear, and WannaCry.

Macros as a ransomware launchpad

Not all ransomware was created equal, however. Those used in high-profile attacks cost more so, for example, the Darkside variant used in the Colonial Pipeline attack cost $1,262. Source code for popular ransomware is also relatively expensive, the researchers found, with Babuk’s source code going for $950, while Paradise’s sold for $593.

Macros are an important feature for every advanced Office user, as they allow the files to pull data from the web, automatically, and update the contents autonomously. Given the nature of the tool, it was being abused by threat actors for years, until Microsoft decided to prevent macro-carrying files downloaded from the internet from running in the first place.

“Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector.”

The findings, Venafi argues, are a strong argument for machine identity management control planes, which would drive specific business outcomes such as observability, consistency, and reliability. Code signing, it says, is a “key machine identity management security control” that helps eliminate macro-powered ransomware attacks. 

“Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks,” Bocek concludes. “This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.