November 09, 2016
The mythological battle between Cerberus and Hercules quite a lot resembles the battle between cyber criminals and researchers. Whose side are you on?
The employment of SEO techniques in malware (and ransomware) distribution is not news. Blackhat SEO campaigns are often uncovered by security researchers. One of the latest such campaigns (disclosed by Malwarebytes) was redirecting users clicking on Google’s featured snippet links for a compromised Hungarian sports site, to a certain website offering license keys for Microsoft products.
Some of the users were tricked into purchasing stolen merchandise. However, users who clicked on the Hungarian website directly were redirected to the Neutrino exploit kit. The final stage of the operation was the CrypMIC ransomware.
This is the average blackhat SEO campaign that ends with malware delivery. However, this is not the only malware-related issue involving SEO that users should be aware of.
A new version of Cerber ransomware was just detected, an iteration of the fourth Cerber outlined as Cerber 4.1.4.
It appears that the ransomware operators skipped Cerber 4.1.2 and 4.1.3 and directly released the fourth edition. Nonetheless, if you google Cerber 4.1.3, you will see multiple websites which have covered the non-existent iteration of Cerber 4. For reasons beyond comprehension, Cerber 4.1.2 was bypassed by both sides – researchers and criminals. At the time this article is being written, no 4.1.2 information is available online – be it true or false.
Let’s get back to Cerber 4.1.4. The ransomware operators most likely noticed these websites (which may have published Cerber 4.1.3 articles for SEO purposes, or didn’t bother research the subject in depth) and decided to go straight ahead with releasing the 4.1.4 iteration.
It feels like there is a silent dialogue going on between ransomware operators and what is being published on the Internet. And it makes sense. Ransomware creators want to know how their ransomware is doing online. How famous it has become and what cyber security researchers are saying.
A serious, well-educated, self-respecting malware researcher would never publish something that hasn’t been supported by actual facts.
There is a certain responsibility that comes with the title “cyber security researcher”, as apparent by the Cerber 4.1.3 happening. Surely, the presumption that “there is going to be a next iteration of Cerber” is always there. Cerber is one of the most evolving ransomware families.
However, cyber security researchers shouldn’t encourage cyber criminals. They should do everything in their power to expose them, and should always seek ways to help victims of ransomware and cybercrime in general.