December 27, 2016
Microsoft Malware Protection Center and Heimdal Security reported that the latest versions of the notorious Cerber ransomware have received an upgrade as they are now operating in a slightly different way.
The biggest change noticed is that Cerber doesn’t delete shadow volume copies anymore allowing a small number of files to be recovered with a special disk recovery software. The idea behind this modification is unknown but the researchers are positive that only the newest Cerber variants are behaving this way.
Another noticeable change is that the recent versions of the ransomware are now prioritizing which files to encrypt. Moreover, Cerber`s list of free from encryption folders and files types has grown significantly.
For instance, the following files types are no longer being targeted by the ransomware newest versions: .bat, .cmd, .com, .cpl, .dll, .exe, .hta, .msc, .msi, .msp, .pif, .scf, .scr, .sys. However, Cerver`s authors balance this alteration by adding 50 other files extensions which increase the total number of targeted files to 493. And yet, regardless of these changes Cerber still remains undecryptable.
Also, Microsoft reports that the crooks behind Cerber have changed the ransom note screen as they are now using a red background highlight instead of the previous green color. However, this change happened a couple of weeks ago and it was noted before. Moreover, unlike most malware campaigns which are taking a break for the holidays, the Cerber gang doesn’t seem to be slowing it down.
As it turns out the crooks behind the ransomware are non-stop working on different distribution campaigns relying mostly on Exploit Kits and spam messages. Both Heimdal Security and Microsoft report that Cerber has been active through the entire December as last week researchers came across a huge spam wave leveraging on fake credit card reports.
According to Heimdal, one week later, the Cerber campaigns are still going strong now relying on compromised webpages which are a part of the Pseudo Darkleech campaign. The campaign utilizes several types of scripts injected on the compromised sites to redirect users to Exploit Kits. The EKs are leveraging Flash Player, Microsoft Edge, Internet Explorer and Silverlight exploits to infect the victims with the Nemucod malware.
Nemucod is a generic first-stage downloader and it will download Cerber later on. Heimdal also adds that this particular campaign is laying under the radar with a very low detection rates on VirusTotal.
Another Cerber distribution campaign which is also leveraging on exploits kits is being reported by Microsoft Malware Protection Center. However, this time is using the RIG EK to take advantage of the CVE-2015-8651 vulnerability in unpatched Adobe Flash Player installations. This bud gives the cybercriminals the opportunity to automatically install and launch Cerber.
According to Microsoft, this campaign has been particularly successful in Asia and Europe. And, aside from these two EKs leveraging campaigns, the Cerber gang is also using the classic spam email tactic.
Last week`s fake credit card reports have now turned to order deliveries. The email comes with a password-protected attachment but the password itself is included in the email body. The attachment is a typical Word file with requires users to enable macros. If the victim does so the macro script downloads and runs the Cerber ransomware. This spam wave, tracked as Donoff, has made a lot of victims during the last couple of days, states Microsoft.
The security companies will continue to keep a close eye on Cerber`s evolution which may lead to founding out its creators, its coding style, which, on the other hand, may speed the process of creating a decryption tool.