We have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was released a month after version 3.0. More details of this latest iteration of Cerber are listed in a ransomware advertisement provided by security researcher Kafeine.
The upgrades include shifting their ransom note to .hta format from html. The ransomware authors have also stopped using the consistent string “.cerber3” as the extension for encrypted files, and have turned to using random string generated for each infection as the new file extension. Based on the speedy adoption of Cerber 4.0—which has been seen in the wild since the start of October—the upgrades seem to have caught the attention of cybercriminals.
The advertisement reads:
|Cerber Ransomware 4.0||Cerber Ransomware 4.0 (translated)|
|– FUD на топовых антивирусах (скантайм / рантайм)||– FUD at the top antivirus (skantaym / runtime)|
|– Обход мониторинга активности (массовое изменение, обход ханипотов итд.)||– Bypass activity monitoring (weight change, bypassing the Honeypot, etc.)|
|– Обход всех известных anti-ransomware программ||– Bypass all known anti-ransomware programs|
|– Работает 5 крипторов 7 дней в неделю||– Works 5 cryptors 7 days a week|
|– Обновленный морф||– Updated morph|
|– Новые инструкции на 13 языках + новый фон||– New instructions in 13 languages + new background|
|– Синхронизация доменов через блокчейн (больше не важно забанили домен лендинга или нет)||– Synchronization via the domain blokcheyn (no longer important domain Landing banned or not)|
|– Рандомное расширение для шифрованных файлов, обновленный алгоритм шифрования||– Randomly extension for encrypted files, the updated encryption algorithm|
|– Новые типы файлов для шифрования||– New types of files to encrypt|
|– Закрытие запущенных процессов всех топовых баз данных||– Closing all running processes top database|
|– Обновленный JS Loader||– Updated JS Loader|
|– Новые onion домены и многое другое.||– New onion domains and much more.|
The quick popularity of Cerber 4.0
As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. This follows our research, which shows exploit kits continuously adopt ransomware families to target new vulnerabilities.
One campaign that seems to favor the latest version of Cerber is PseudoDarkleech, a continuously changing campaign that mostly delivers ransomware through compromised sites. It previously distributed CrypMIC and CryptXXX, but Trend Micro researchers noted that PseudoDarkleech switched to Cerber 4.0 last October 1.
Figure 1. This version of PseudoDarkleech directly injects the RIG exploit kit link onto the compromised site
Figure 2. Another variety of PseudoDarkleech directs visitors to a redirect server, which will direct them to a RIG exploit kit
Two older malvertisement campaigns also use Cerber 4.0. One campaign employs the Magnitude exploit kit, which is a long time carrier of Cerber. Magnitude upgraded on October 3 and is continuously pushing Cerber 4.0 into countries in Asia, specifically Taiwan, Korea, Hong Kong, Singapore and China.
The second campaign typically employs a casino-themed fake advertisement, and researchers previously found it delivering the Andromeda or Betabot (detected by Trend Micro as Neurevt) malware to many countries. On October 4, Trend Micro researchers saw the campaign change their payload to Cerber 4.0 as well. This was the first instance that we detected it delivering Cerber 4.0, and it used the RIG exploit kit—another exploit kit that has a previous history with Cerber.
Figure 3. RIG exploit kit malversting delivers new Cerber ransomware
Figure 4. The casino-themed fake advertisement
Neutrino exploit kit still live, now with Cerber 4.0
A new malvertisement campaign we first identified on September 8 was found distributing Cerber 3.0, before it upgraded to Cerber 4.0 on October 3. It was distributed to the US, Germany, Spain, Taiwan and Korea. Interestingly, the campaign used the Neutrino exploit kit to deliver this ransomware, despite claims by the Neutrino team that they stopped their service. Security researcher Kafeine reported a message from the Neutrino account on September 9: “we are closed, no new rents, no extends more”. Though it appears that Neutrino has retreated; one speculation is that the crew is afraid of being exposed by cybersecurity firms. Another theory is that they have gone into “private” mode, meaning the exploit kit is only available for VIP clients handling larger operations.
Figure 5. Neutrino malvertising serves Cerber ransomware
Solutions and Mitigation Tactics
Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Trend Micro offers gateway, endpoint, network, and even server solutions that protect enterprises and consumers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability Shielding
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection