We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.Read More
Early this month, a new variant of mobile ransomware SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) was detected, copying the GUI of the now-infamous WannaCry. The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.Read More
Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every ransom paid by the victim. Coupled with persistence, Cerber turned into a cybercriminal goldmine that reportedly earned its developers $200,000 in commissions in a month alone last year.
Being lucrative and customizable for affiliates, it’s no wonder that Cerber spawned various iterations. Our coverage of unique Cerber samples—based on feedback from Smart Protection Network™—shows enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries.
A reflection of how far Cerber has come in the threat landscape—and how far it’ll go—is Cerber Version 6, the ransomware’s latest version we’ve uncovered and monitored since early April this year. It sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.Read More
We have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was released a month after version 3.0. More details of this latest iteration of Cerber are listed in a ransomware advertisement provided by security researcher Kafeine.Read More
Some time ago, I was asked by a colleague to develop a set of Yara rules to detect samples of the Stampado ransomware family. (Yara is an open-source tool used by security researchers to spot and categorize malware samples according to a set of defined rules.)
Stampado is a relatively new Ransomware-as-a-Service (RaaS) threat that’s been on our radar recently. I had access to only a few samples at the time, and first tried looking for common strings among them but had no luck. I then went to compare the files structures and realized all of them had an interesting section at the end of the file, like the one starting at offset 0xde000 as follows:Read More