Cerber ransomware has infected multiple users worldwide, though over the past two months
Considering all the ransomware families which appeared since the beginning of this year, only a few of them managed to grab enough market share and become prevalent threats. One of these is Cerber ransomware.
The first time when Cerber was noticed was in February, this year. Unlike other threats, this ransomware stood up in the crowd due to the fact that it used a VBScript which caused the infected PC to “speak” to the victim.
Since February, Cerber ransomware has received a few updates, and the Invincea experts reported that last month the malware might have been leveraged in distributed denial of service (DDoS) attacks. The security researchers noticed strange network behavior associated with the ransomware, which was calling out a large address range: from 184.108.40.206 to 220.127.116.11, and they concluded that it might have been packed with new capabilities.
At the beginning of this month, the Invincea experts warned that Cerber operators started using a server-side “malware factory” to evade detection. This means that the server which delivered the payload in an observed infection campaign was generating a new hash for it every 15 seconds, thus able to trick signature-based antimalware solutions. The security researchers also reported that Cerber was most active in USA, which accounted for almost 50% of infections, however, Australia, Brazil, Canada, Japan, Portugal, Taiwan, Spain, Malaysia, and Germany were also targeted.
Currently, the Check Point researchers claim that while victims in USA are indeed the targets of choice for Cerber, the ransomware is also a great threat to users in Turkey and the United Kingdom. The US accounts for 41% of infections, followed by Turkey at 15% and the UK at 9%, with Israel and Taiwan rounding up top 5 most affected countries, at 4% each.
Meanwhile, the security experts observed two spikes in Cerber’s activity, one in April and another one in May, and both appeared to be highly productive for the malware’s operators. During the same time when USA, Turkey and the UK were the preferred targets in these campaigns, users in other countries also fell victims to Cerber ransomware.
Cerber launches its attack by using Windows binaries without any parameters, and it does that by injecting code into explorer.exe and calling a couple of applications. The ransomware also loads a DLL (Dynamic Link Library) used by multiple programs and, after the encryption starts, it erases shadow copies to prevent file recovery.
Cerber uses AES-265 and RSA encryption and also tampers the boot sequence, making sure that the user cannot recover the encrypted files. Once the victim’s files are successfully encrypted, the ransomware deletes itself from the infected computer and uses Notepad and Google Chrome to display the ransom note.
In addition, the malware launches a watchdog which prevents uninstall attempts, thus ensuring persistency. Cerber also starts a “network search, calling a very long series of IP addresses mostly located in France.”
The Check Point researchers claim that there will be more spikes in Cerber’s activity. The ransomware is distributed via phishing emails which contain malicious attachments, thus users are advised to avoid opening emails coming from unknown sources, in order to stay protected.