Ransomware Regenerates Every 15 Seconds

Tuesday, June 7, 2016 @ 04:06 PM gHale


In a move to bypass client-side security software, ransomware developers are able to create a different version of the malware every 15 seconds.

Cerber ransomware is one of today’s most active ransomware threats, backed by a group that has put in the time and resources to let their malware evolve.

RELATED STORIES
New Ransomware with Different Approach
Updated Ransomware getting Kinks Out
Ransomware Soars, Users Not Sure What It Is
APT Attacker’s Malware of Choice

The ransomware has constantly changed since the beginning of the year, when researchers first spotted it, and nobody has been able to create a free decrypter until now.

Security provider Invincea provided the most recent change in Cerber’s mode of operation. The company said while it was analyzing a log file of Cerber’s latest infection techniques and thus trying to reproduce the infection chain, their analysts got a Cerber ransomware payload with a different file hash.

Retrying the infection chain after a few moments, the researchers got a third hash, and then a fourth hash, and so on. It didn’t take them long to figure out that Cerber’s C&C servers were churning out Cerber binaries with different file hashes every 15 seconds.

This was a sign the developers were employing a “malware factory,” an automated malware assembly line that puts together Cerber payloads but makes small modifications to the file’s internal structure in order to generate files with unique hashes.

A deeper look at the Cerber payloads showed a connection to a suspicious file sample first collected in September 2015, after the Neutrino exploit kit dropped the ransomware.

“By constantly morphing the same old binary from 2015 [Cerber] is able to evade detection quite easily,” said Invincea’s Patrick in a blog post. He was also an author of a research paper on malware factories and polymorphic malware.