A brand new version of the most successful virus Cerber ransomware has been released. The latest variant of the ransomware includes multipart arrival vectors and new file encryption routines.
Cerber ransomware has been climbing to the top of the virus charts for over a year now. The parasite managed to account for nearly 87% of the ransomware attacks during the first quarter of 2017.
According to TrendMicro security experts, Cerber released its 6th version about a month ago. Considering the fact that the malware is distributed as ransomware-as-a-service, it is certain that Cerber is generating millions of dollars in revenue for its developers and operators.
The new version of Cerber features multipart arrival vectors and refashioned file encryption routines, as well as defense mechanisms which include anti-AV techniques and anti-sandbox.
“We’ve also seen how the latest versions of Cerber employed a number of methods to avoid traditional security solutions. Since its emergence in 2016, Cerber’s evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game,” the analyst Gilbert Sison from TrendMicro says.
Cerber ransomware infects users’ computers via spam emails. Its 6th version arrives with socially engineered emails which contain a zipped attachment that includes a malicious JavaScript file. When the user opens it, the JS file downloads and executes the payload, creating a scheduled task to run Cerber after two minutes or runs an embedded PowerShell script.
The researchers from TrendMicro note that adding a time delay in the attack chain allows Cerber ransomware to elude traditional sandboxes.
Some features of Cerber 6 impressed security experts. Among these features is the routine of ransomware for terminating processes to ensure encryption of files. The other interesting feature is the ability of malware to check on file extensions so it knows what files to avoid during the encryption process.
“Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing),” the researchers state.
The latest version of Cerber has also avoided the implementation of RSA and RC4 algorithms in its encryption routine in favor of Cryptographic Application Programming Interface. In addition, the ransomware features a function which reads and encrypts the file content.