A Malware Cocktail Shakes Up Cerber Ransomware Infections

Written by

The cyber-criminals behind a fresh ransomware campaign are celebrating the new year with a malware cocktail—one that’s spreading the Cerber ransomware.

According to Heimdal Security, this ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems.

It begins by compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims’ internet traffic to a Cerber gateway which is known as Pseudo Darkleech, which is a type of malware infection created to add a strong obfuscation layer and keep detection rates low.

The malicious script injected into these websites is the Nemucod generic malware downloader, which is used to download and run Cerber ransomware. The attackers are exploiting vulnerabilities in Internet Explorer, Microsoft Edge, Flash Player and Silverlight to infect unsuspecting users.

“Please keep in mind that this ransomware campaign can affect both individual internet users and companies,” said Heimdal security researcher Andra Zaharia, in a blog. “What’s more, Cerber has recently started targeting companies’ databases to maximize profits from the ransom, so this is another reason to take additional precautions.”

A main hallmark of the attack is the fact that the cyberattackers are choosing to incorporate so many types of malware in a single attack—the aforementioned cocktail of Nemucod, DarkLeech and Cerber. The goal is to make the infection stealthy, so it can’t be detected and stopped by antivirus; and, to make the infection stick (persistence) until it can encrypt all the victim’s data and get to the point where it can ask for ransom and the victim feels compelled to pay for it. 

“Nemucod first emerged in December 2015 as a Trojan downloader,” Zaharia noted. “This malware downloader recently got a ton of attention when it was used in spam IMs on Facebook Messenger to spread Locky ransomware. Pseudo DarkLeech uses hidden iframe injections and randomizes elements to enable the malware to operate covertly. And Cerber, which was discovered in March 2016, is a professionally coded ransomware that provides customization options…Like Locky, Cerber appears to have access to the Dridex spam network, meaning it can be pushed out quickly in large spam campaigns.”

Victims whose data is encrypted with Cerber are usually extorted for amounts ranging from 1.24 bitcoins (BTC) to 2.48 BTC ($1,068 to $2,136 according to December 2016 rates).

To avoid becoming a victim of ransomware, users should keep their software up to date, create and maintain at least two backups of data, in different locations (in the cloud + on an external drive), and enhance browser protection. 

Photo © kentoh

What’s hot on Infosecurity Magazine?