Ransomware Updates with New Components

Wednesday, May 3, 2017 @ 12:05 PM gHale


A Cerber ransomware variant ended up upgraded with multipart arrival vectors and new type of file encryption.

Cerber is one of the leading ransomware threats out there where researchers in the first quarter this year found it to be in 87 percent of ransomware attacks.

RELATED STORIES
Botnet Teams with Ransomware
Ransomware as a Profit Center: Report
Fending off Analysis, Ransomware will Cut Decryptor
New Ransomware Business Model

In April 2017, Cerber reached its 6th version, said researchers at TrendMicro. The malware is generating millions of dollars in revenue for operators and developers, especially since it is distributed as ransomware-as-a-service.

This new version of Cerber sports multipart arrival vectors and reworked file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.

“Since its emergence in 2016, Cerber’s evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game,” said TrendMicro’s Gilbert Sison, threats analyst.

Cerber uses spam emails as a way to get into victim’s systems. Version 6 comes with socially engineered emails containing a zipped attachment that includes a malicious JavaScript file. Once opened, the JS file downloads and executes the payload, creates a scheduled task to run Cerber after two minutes or runs an embedded PowerShell script.

Adding a time delay in the attack chain enables the ransomware to elude traditional sandboxes, researchers said.

Cerber 6 has a routine for terminating processes to ensure encryption of files. Another addition is it checks on file extensions so it knows what files to avoid during the encryption process. 

“Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing),” Sison said.



Leave a Reply

You must be logged in to post a comment.