Cerber Ransomware Distributed Through Blank Slate Campaign

Cerber ransomware is notorious for its constant changes. The renegade developers behind the virus work tirelessly to make their software difficult to combat against. The latest chapter in the book of Cerber ransomware pertains to its distribution patterns.

Researchers at SANS Internet Storm Center have reported that Cerber is spread through a campaign called Blank Slate. The emails distributing the ransomware are made to look vague. The subject line consists of a random combination of numbers. The name of the attachment is generated in the same manner.

A notable specification about the attachments is that they are double-zipped. A zip archive is stored inside another zip archive. When you unwrap the second layer, you will find the actual file. The host for Cerber ransomware is either a Microsoft Word document, or a JavaScript file.

The JavaScript file makes the distribution process easier. All the virus needs to get access to your machine is for you to double-click on the file. With the Microsoft Word document, there is another step. You will be asked to enable macros. Since Microsoft have issued a warning about malicious macro attacks, this technique is more likely to be neutralized.

An increase in the ransom

It appears that a successful propagation vector reflects on the amount of the ransom. Blank Slate has been established as the most prevalent distribution method. This seems to have had an effect on the confidence of the cyber criminals. They recently decided to make higher demands.

Until a few days ago, Cerber demanded a ransom of $500 USD. The ransom gets listed in bitcoins. It got changed in parallel with the exchange rate, so that it would always be equal to the fixed amount. The constant shifts in the ransom came to an abrupt end after the cyber criminals decided to raise the sum up to 1 bitcoin. This is the current ransom amount.

Brad Duncan of SANS Internet Storm Center made a statement in an attempt to help people protect their computers. The expert talked about the user’s involvement in opening the door for the infection.

The current propagation vector needs users to open an attachment, unzip it twice and then proceed to either double-click on a JavaScript file, or open a Microsoft Word document and enable macros. The recipient can prevent the infection from infiltrating his machine by not taking the very last step. Mr. Duncan also advises people to proof the reliability of their emails by checking the contacts.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.