Updated Ransomware Includes RaaS

Monday, February 13, 2017 @ 06:02 PM gHale

There’s a new outbreak of Cerber ransomware.

One of the new aspects for the ransomware is it is part of a Ransomware-as-a-Service (RaaS), which means attackers can join in order to distribute the malware.

New Ransomware as a Service Starts Up
New Ransomware Tries to Grow Organically
Exploit Kit Jumps on Old Applications
Cyber Ransom Attacks on Rise

The new outbreaks are going out via variants of Nemucod, which is one of the most popular malware distribution tools, said researchers at security firm Cyren.

The attack goes out from email messages featuring zipped JavaScript attachments. The filenames all have a pretty similar name, starting with “DOC,” followed by a ten digit string and ending with “-PDF”. The file, however, is none of these files, but a JavaScript attachment that will bring you trouble.

“Following more detailed analysis of the JavaScript attachment, we identified 2 major variants of Nemucod malware, each variant comprising hundreds of samples that all connected to a single distribution site hosting the ransomware. The two major variants are detected by Cyren as JS/Nemucod.GE!Eldorado and JS/Nemucod.ED1!Eldorado,” according to a Cyren blog post.

The JS/Nemucod.GE!Eldorado variant first ended up noticed late last year. The malicious code is hidden among random garbage code and it’s not hidden by any encryption. The malware code is really just a few lines that indicate the purpose of it all is to download a file and execute it. The file, titled “cer.jpg” hints about the payload. Once downloaded, the .jpg extension ends up replaced with .exe, allowing the ransomware to go wild on your computer.

The second variant, JS/Nemucod.ED1!Eldorado ends up hidden a little better among the garbage code. While the code is a bit longer, the behavior is the same and it even tries to download the same payload on the same site.

Once activated, Cerber encrypts a range of document and image files and places the ransomware file in each folder. There’s no free decrypter for Cerber.

Leave a Reply

You must be logged in to post a comment.