New Version of Cerber Ransomware Distributed via Malvertising

Cerber has become one of the most notorious and popular ransomware families in 2016. It has used a wide variety of tactics including leveraging cloud platforms and Windows Scripting and adding non-ransomware behavior such as distributed denial-of-service attacks to its arsenal. One reason for this popularity may be because it is frequently bought and sold as a service (ransomware-as-a-service, or RaaS).

The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits.

Users are typically redirected to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload.

In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious.

Figure 1. Rig exploit kit redirection chain

Figure 2. Magnitude exploit kit redirection chain

Beyond those differences, however, Cerber remains the same. The initial ransom note uses wording that is essentially unchanged from previous versions:

Figure 3. Cerber 3.0 ransom note

The payment note is also similar to earlier variants, even offering a “discount”. Perhaps to reflect the ever-changing exchange rate of Bitcoins, the amount demanded has also changed. In the first version, Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC.

Figure 4. Cerber version 3 ransom note

The encrypted files are renamed to have the *.cerber3 file extension. Shadow copies are also deleted by the ransomware, to prevent any backups based on this feature from being restored. It also uses a female voice to let users know that their files have been encrypted—like the initial version of Cerber did.

Solutions and Mitigation

The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location.

A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.

The following SHA1 hashes were involved in this attack:

• C60AB834453E6C1865EA2A06E4C19EA83982C1F9 – detected as RANSOM_CERBER.DLEY
• E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2 – detected as RANSOM_CERBER.DLEZ

Additional analysis by Mary Yambao

Updated on September 1, 2016, 7:00 PM (UTC-7):

Figure 1 and Figure 2 were updated.

Updated on September 6, 2016, 2:15 AM (UTC-7):

Ransom_CERBER.DLEY has been renamed to Ransom_CERBER.DLEZ.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

ENTERPRISE »

SMALL BUSINESS»

HOME»