Hello, welcome to the Thursday, March 8th, 2018 edition of the Sands and Stormsendors Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

The amount of ransomware we have seen lately has certainly declined and Pratt also states in his

last post that this is a trend that he's observing as well,

but nevertheless they're still out there. And earlier this week, he came across two updated

samples that he's discussing in his latest post. The two samples that Pratt found follow the very sort of standard pattern of

arriving as a word attachment in email, then they trick the user into enabling macros,

which then results in a PowerShell script, downloading additional malicious files. In order to trick the user into enabling

macros, these Word documents will display a message that tells the user that the document

was created in an earlier version of Word. And then you tell them, well, you can still look at a document,

but you first have to enable editing and enable content, which then is exactly what enables macros.

As usual, Pratt provides all the indicators of compromise and packet captures and the like that allow you to sort of test your own defenses, but hopefully you are already

defended against this kind of infection, because if it's not CryptoRansomware, they're

probably trying to find something else to install on your systems using these simple

verb macros.

And talking about CryptoRansomware, Malwarebytes has a nice blog post showing how to break

some encryption algorithms.

Of course, if the encryption algorithm is done well, there may not be really a way to break

the algorithm, but quite often in past versions

of crypto ransomware, the author made some sort of basic mistakes in how the encryption

was implemented, how keys were selected, or which exact algorithm was selected.

So this blog post gives you a little bit an insight in how to possibly defeat these weak

...