cuteRansomware leverages Google Docs to avoid detection

Pierluigi Paganini July 19, 2016

A newly strain of ransomware dubbed cuteRansomware leverages on a Google Doc to host the decryption key and command-and-control features.

A recently discovered strain of ransomware, dubbed cuteRansomware, shows that your enterprise isn’t the only one thinking about cloud transition. Modern day hackers are loving the Cloud too. The cuteRansomware was discovered by Netskope security firm which observes an increase in the number of malware leveraging on cloud apps as a delivery mechanism.

Most ransomware has a Command and Control (C&C) structure and a location for hosting the decryption key. Google Docs became precisely this location for this Chinese modified malware.

“Netskope has detected and reported on an increase in cloud apps as a delivery mechanism for ransomware, particularly in obfuscated JavaScript as well as Microsoft Word documents using macros functions.” states Netskope.

A few months ago, experts from Netskope noticed that a user with a GitHub account “aaaddress1” published source code for a ransomware module based on C# called “my-Little-Ransomware.” The malware became popular and others began using it. A security researcher at AVG spotted a malicious modified Chinese version of my-Little-Ransomware, that it dubbed “cuteRansomware” because of the mutex name used by the original author.

Though basic in nature it proves to be hard to track because Google Docs uses HTTPS to transfer data and is hard to detect by basic End Point security and Perimeter guards like firewall, intrusion detection systems, intrusion prevention systems and even the Next Gen firewall.

“Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright. To prevent this ransomware from using Google Docs, you need to be able to selectively block the specific app instance associated with this ransomware while allowing your sanctioned instance of Google Docs to continue working.” continues Netskope


Let’s state why the cuteRansomware represents a problem :

  • Lack of visibility in SSL cryptographic protocol.
  • Highly used tools in many organizations like Google Docs could be  hard to stop. Thus productivity would get affected. 
  • Cloud service providers will need to monitoring of their products.
  • Today it’s Google Docs, tomorrow it could be Office 365. Microsoft’s Office 365 is a more preferred tool to use when it comes to SaaS by companies.
  • Cyber actors will now transition to cloud for C&C and hosting other attacks.

Tough days ahead

In June, Martin Lee, the technical lead of Cisco’s Talos Security Intelligence and Research Group commented that malware is “taking kidnap and moving it to the 21st century” An apt analogy considering that the threat landscape is truly evolving.

About the Author: Joshua Bahirvani

Joshua Bahirvani 2Cyber Security Enthusiast and believer of Privacy in this Digital Age.

LinkedIn :


Twitter : @B15joshua

Medium : @jbahirvani15


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cuteRansomware, cybercrime)

you might also like

leave a comment