Phishing warning
A new ransomware attack is spreading through malicious Microsoft Office attachments. Christiaan Colen/Flickr

Security researchers have discovered a new form of ransomware being distributed through malicious Microsoft Office documents and Word files—and attackers have published videos to walk victims through the process of buying Bitcoin to get pay the ransom.

The Spider Virus ransomware campaign was first identified on Dec. 10 by researchers at cybersecurity firm Netskope and has continued to spread as attackers have targeted victims primarily in the Balkans.

While the Spider Virus attack may be new, its methods are tried and true for a ransomware campaign. The attack began its spread through emails laced with a malicious Microsoft Office attachment. The email subject and content is designed to catch the victim’s eye and open the document.

When they do, the attack begins to take hold. While the downloaded attachment has the look of a legitimate document, it obscures the true nature of the download. The Word document contains a “macro” or macroinstruction code that, when the user attempts to open the document, begins to download the ransomware attack from a host website.

The download takes place in the background and, once completed, begins to execute the ransomware payload on the machine. As the Spider Virus starts to run, it encrypts the victim’s data and adds a “.spider” extension to the end of the files being held hostage.

Once the ransomware has run its course, the victim is presented with a ransom note from the attacker. The note informs the victim that “all your important files are encrypted and you no longer have access to them.”

In order to regain access to the files, the ransomware requires users to visit a website where a decryption key is located. In order to visit the site, the victim has to download the Tor browser—which the attackers have helpfully provided a tutorial for within its ransom note.

Once the user visits the site, they are required to make a payment in Bitcoin to be provided the correct key. A video found in the ransomware’s “help” section shows the victim how to buy and pay with the cryptocurrency.

The user has 96 hours to undergo the process of paying for the decryption key. If they fail to do so, the ransomware will allegedly delete the files from the machine permanently. The attackers advise victims to pay the ransom and not to “try anything stupid.”

Avoiding an attack like the Spider Virus requires users to keep a close eye on their email in order to avoid phishing scams and other malicious attacks that may sneak into their inbox. Users should not download files received from senders that they do not recognize.

Additionally, users should disable macros to prevent such an attack from executing. To do so, open the Access menu in Microsoft Office. From there, users should click Trust Center, then Trust Center Settings and open Macro Settings. From here, they can ensure macros are not enabled.

Finally, the best defense against a ransomware attack is to keep a regular backup of all files—or at least important ones. While the attack can wipe files on the device, a victim can quickly restore operation from a backup without losing anything of value.