back to article Ransomware scum sling PowerShell, Word macro nasty at healthcare biz

Miscreants have put together a strain of ransomware written in Microsoft Word macros and PowerShell, Redmond's scripting language. The malware is designed to infect organizations, encrypting files and demanding money to unscramble files. Interestingly, installation of the ransomware begins after someone opens a booby-trapped …

  1. James O'Shea


    I keep macros turned off when in MS Office unless I'm doing something which needs macros... and I never need macros when when reading Word documents. Well, I haven't needed macros in Word for well over a decade, so far back that I literally can't remember when the last time I used macros in Word was. Any attempt to launch macros by a Word file would have been stopped immediately.

    1. big_D Silver badge

      Re: errm...

      Exactly and since around 2008/9, Microsoft have set Macros to be disabled by default and the user is asked if they should be enabled when opening the document...

      If you open a document in an email and it wants to run macros, you should just say no!

      1. Dan Wilkie

        Re: errm...

        Which is at the heart of the problem. Because most users will see it ask for permission to run macros and say yes!

  2. Paratrooping Parrot

    Job recruitment offices

    I remember they always insisted on me sending them Word versions of my CV. I wanted to send them PDF for security reasons (although I do know about the problems with Adobe!). Maybe if Word refuses to run macros, it will be better. Otherwise, it should sandbox them so then it cannot access any other files.

    1. big_D Silver badge

      Re: Job recruitment offices

      The default configuration in Office since at least 2010 is that macros are disabled by default and the user must specifically enable them, when opening the document.

      The user can override the setting in the Security section of the Option in Office applications, but they are warned that this is a bad idea.

    2. annodomini2

      Re: Job recruitment offices

      They want to stick their own headers and crap in it before sending it to their customer, their concept is that it stops other recruitment companies stealing their clients.

  3. Paul Crawford Silver badge

    1) Macros were a stupid idea, at least, the idea they could do anything in any way to overwrite or run an executable program, script, etc.

    2) Backups.

    Really, while getting your machine shafted by a cryptovirus sucks donkey balls big-time, what were your plans for the day your HDD/SSD dies, machine is stolen, or PSU goes on a last bender and takes out several disks in your RAID set?

  4. x 7

    in the UK NHS a LOT of online reporting tools require macros.

    Its quite a problem

  5. simonorch


    Using Word as your vehicle, epic fail. Excel on the other hand....carnage.

    Hi ho, hi ho it's a consulting i will go.

  6. Anonymous Coward

    1995 is calling and wants its Word Macro virus back ..

    The solution is to make NORMAL.DOTX readonly for the current user.

  7. allthecoolshortnamesweretaken

    "Another strain of PowerShell ransomware was spotted by security researchers at Palo Alto Networks earlier this month. That strain, Powersniff, actively avoids healthcare and education machines, unlike PowerWare."

    Interesting. Ransomware coders with a bit of consience?

  8. quattroprorocked

    My local Council loves to send me bid docs that I'm supposed to fill in. They have macros. So far I've been able to fill them in and place bids, and every time I tell them that they really shouldn't be sending out macros.

    Just think, they have all those staff who are used to opening docs and running macro laced docs from external sources.

    10, 9, 8, 7.....

  9. cantankerous swineherd

    this just getting fucking stupid. email is totally insecure and needs to be given the bullet just as soon as flash has been buried. haven't got to the criminal helpdesk as .gov site story yet, but am willing to bet there's an email involved in that as well.

    internet security (ha ha) depends on a mail system in which anyone can send malicious messages to anyone whilst pretending to be anyone. that's four (anyone, malicious, anyone, anyone) fuck ups straight off the bat. then we have the even more pernicious and absurd situation where we're supposed to believe that PKI (the green padlock icon in the browser, for the love of god) is secure when 1. the key exchange mechanism has been subverted, perverted or both and 2. pretty much anyone can get a 'security' 'certificate', for anyone anywhere in the entire fucking world, which is insecure and certifies nothing.

    and this is before we even think about word macros.

    any dimwits out there who think they know better, because, hey, Estonia, can crawl back under their rocks, you haven't been following the news.

    this isn't a rant, it's a sober assessment of the state of the internet in 2016.

  10. arya

    looks like a copy/cat of the CryptoWall, not using RSA 2048. no need to pay the ransom, files can be retrieved through shadow copies...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like