November 30, 2016
Christmas is around the corner, and cyber criminals are as restless as Santa’s dwarves. All big ransomware families are being updated on quite a regular basis, leaving users breathless and file-less. The Cerber ransomware family is an excellent example of a crypto family constantly being renewed.
Cerber5.0.1 is now making its rounds in the wild, and users should be as cautious as possible. The winter holidays may be the perfect time for family gatherings, but they are also cyber criminals’ most favorite time of year for crypto shenanigans.
WHAT’S NEW IN CERBER 5.0.1?
Not much is changed in this new iteration, as it appears to be quite similar to the Cerber 4.1.0.
However, the timing of the attacks speaks volumes about the cybercriminals’ agenda. They are not going to stop any time soon. Why? The reasons are quite trivial. The colder it gets, the more stuck we are at home. The more we are stuck at home, the more time we spend in front of our computers – planning skiing vacations, online shopping for presents, or just chatting with friends.
The truth about the increasing malware activity in winter is perfectly displayed in one single quote by cyber security expert James Scott:
AND IS THERE ANY NOVEL TECHNOLOGICAL SOPHISTICATION IN CERBER 5.0.1 ATTACKS?
Not really. In fact, security researchers have discovered that this ransomware piece is delivered with the RIG-V exploit kit, which has been deployed in all of the latest Cerber campaigns.
There are, however, some changes in this version of RIG. The new modifications of this particular exploit kit include altered web links. The highly obfuscated infection code enables a successful infection that goes unnoticed by most anti-virus software. The new exploit kit has been outlined by researchers as a “VIP” type of exploit kit. Experts also believe that it uses RC4 encryption for payload obfuscation.
Cerber ransomware may use .hta, .html or .htm files to cause an infection via a spam message sent out to potential victims, just like previous versions have done.
There is also another method of infection – via malicious web links uploaded online and sent out as messages on social media.
As for the file encryption, nothing has changed. Cerber continues to use a combination of AES and RSA. This leads to the production of a very unique decryption key corresponding specifically to the particular infection. This is the key sent to the cyber-criminals’ command and control servers.
Then, Cerber 5.0.1 typically changes the filenames and the file extension of the encrypted files to completely random ones. Like we said, not much has changed.
Security researchers’ advice also remains the same. Don’t pay the ransom and don’t support cybercrime. Instead, consider using data recovery software. And start investing in your future security. Maybe an anti-malware package is the perfect Christmas present?