• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   New Version of Cerber Ransomware Distributed via Malvertising

New Version of Cerber Ransomware Distributed via Malvertising

  • Posted on:August 31, 2016 at 8:28 pm
  • Posted in:Exploits, Malware, Ransomware
  • Author:
    Joseph C Chen (Fraud Researcher)
0

Cerber has become one of the most notorious and popular ransomware families in 2016. It has used a wide variety of tactics including leveraging cloud platforms and Windows Scripting and adding non-ransomware behavior such as distributed denial-of-service attacks to its arsenal. One reason for this popularity may be because it is frequently bought and sold as a service (ransomware-as-a-service, or RaaS).

The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits.

Users are typically redirected to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload.

In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious.

Figure 1. Rig exploit kit redirection chain

Figure 2. Magnitude exploit kit redirection chain

Beyond those differences, however, Cerber remains the same. The initial ransom note uses wording that is essentially unchanged from previous versions:

Figure 3. Cerber 3.0 ransom note

The payment note is also similar to earlier variants, even offering a “discount”. Perhaps to reflect the ever-changing exchange rate of Bitcoins, the amount demanded has also changed. In the first version, Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC.

Figure 4. Cerber version 3 ransom note

The encrypted files are renamed to have the *.cerber3 file extension. Shadow copies are also deleted by the ransomware, to prevent any backups based on this feature from being restored. It also uses a female voice to let users know that their files have been encrypted—like the initial version of Cerber did.

Solutions and Mitigation

The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location.

A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.

PROTECTION FOR ENTERPRISES

  • Email and Gateway Protection

    Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.

    Spear phishing protection
    Malware Sandbox
    IP/Web Reputation
    Document exploit detection
  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Small-Medium Businesses

    Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

    Ransomware behavior monitoring
    IP/Web Reputation
  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

The following SHA1 hashes were involved in this attack:

  • C60AB834453E6C1865EA2A06E4C19EA83982C1F9 – detected as RANSOM_CERBER.DLEY
  • E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2 – detected as RANSOM_CERBER.DLEZ

Additional analysis by Mary Yambao

Updated on September 1, 2016, 7:00 PM (UTC-7):

Figure 1 and Figure 2 were updated.

Updated on September 6, 2016, 2:15 AM (UTC-7):

Ransom_CERBER.DLEY has been renamed to Ransom_CERBER.DLEZ.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CERBERMagnitude exploit kitmalvertisingransomwarerig exploit kit

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.