Usually, after paying the ransom, the nightmare is over. Unless, you are asked to pay up a second time. Although, you should be aware that no matter if you pay or not, your PC may still be turned into a mindless bot which generates fake traffic used in distributed denial of service (DdoS) attacks.
Recently, researchers revealed a ransomware-DDoS hybrid attack at the endpoint security solutions company Invincea. The company’s blog wrote that the ransomware which sparked such concerns is a variant of Cerber, was currently distributed via a weaponized Microsoft Office document. According to Invincea, this file-less attack method is popular among certain hackers because it resides only in RAM memory, not on a hard drive. This is the reason why traditional anti-virus solutions detect these incursions much harder.
Obviously, the current Cerber campaign targets are being sent phishing emails containing a Rich Text Document attachment, which upon opening prompts users to enable macros so the content can be viewed in Microsoft Word. Nevertheless, the particular macros are comprised of malicious VBscript, derived from Visual Basic programming language. When activated, the macros create an elevated command shell on the host and execute further obfuscated code that triggers the downloading of the main payload.
Cerber ransomware not only encrypts the user’s file systems and displays a ransom note, but also engages in some atypical behavior. For instance, Invincea notes that the malware has the host machine “call out” to a large subnetwork of IP addresses, and appears to flood it with packets using UDP (the User Datagram Protocol) after that.
“It is unknown, but assumed that there was a server listening for these [data packets]. But using UDP in this fashion caused a wave of ICMP port unreachable messages to come back to the infected host,” said the director of malware analysis at Invincea – Patrick Belcher.
However, “If the Cerber author had instead spoofed the source IP of the infected host to be a third party’s IP address, all of those ICMP messages would have been sent to the spoofed host — say a website or corporate gateway. Multiply this by the thousands that were infected at once, and it becomes a DDoS function.”
For now there is no proof that this ransomware has actually launched a DDoS attack in the wild using the above described technique. Even so, this discovery theoretically means that while a legitimate business might be unable to access various network endpoints due to the ransomware’s encryption, these very same endpoints can still be leveraged by the hackers to attack additional victims via DDoS.
“We foresee this becoming a feature of future ransomware. Such ransomware could stay encrypted and online performing such attacks, and whether or not the flooding of traffic would be turned off if the ransom is paid is speculation,” said Belcher