Cerber Ransomware Capable Of Morphing Every 15 Seconds Is On The Loose
By Paul Liu
Tuesday, February 28th, 2017
Online threats are continuously evolving and nothing demonstrates this more aptly than the recently discovered Cerber ransomware. The ransomware has not only become one of the most talked about security threats in a very short period of time, it now has the ability to come up with a new version of itself every 15 seconds! Every new variant generated by Cerber has a totally unique signature so it is going to very difficult for the security companies to identify and deal with the threat from now on.
Cerber ransomware was discovered in late February and since then it has joined the ranks of the most dangerous threats lurking on the web. As per recent estimates, Cerber is now the third biggest ransomware on the internet; just behind the infamous Cryptowall and Locky threats. While it mostly targets users from United States, the threat has also been found in a number of other countries including Japan, Canada, Australia, Germany, Taiwan, Spain and Portugal. In addition to holding users’ computers to ransom, the ransomware has been a part of many other attacks including Neutrino and Magnitude campaigns which exploited vulnerabilities in the Flash Player. What’s worse, hackers have also used the threat to send UDP packets and launch Distributed Denial of Service (DDoS) attacks.
While Cerber is quite dangerous as it is, hackers have managed it to make it even more menacing by creating a self-replicating version of the ransomware. Virginia based security company Invincea Inc. was the first firm to discover and report about the ransomware’s unique capability to morph itself. While attempting to download the threat’s payload following an attack, Invincea came across a new variant of the ransomware. The new version was totally identical to the payload that had caused the earlier attack but it had a different hash signature. Intrigued by this ambiguity, the company’s researchers downloaded the payload again and were surprised to see yet another variant of the threat. In all, the researchers downloaded 40 different variants of the ransomware within a few minutes plus they also discovered that the threat was replicating itself after every 15 seconds. What’s more, the payload was very similar to an infected file (contained within the Neutrino exploit kit) discovered in September’ 2015 suggesting that Cerber has been lurking around since at least last year.
Invincea suspects that the attackers behind the ransomware were using a server-side malware factory to create new variants of the threat. However, the company’s researchers were unable to identify whether Cerber was morphing on the server or was being generated elsewhere and then uploaded via a script. Invincea also discovered that the threat was being spread through MS Outlook via a MS Office document attachment. Once a user downloads an infected file, it automatically downloads the payload from a remote server and assigns itself system privileges as well as networking capabilities.
There is no doubt that the self-replicating feature of Cerber is totally unique and highly dangerous. The menacing addition will not only propel the ransomware to the top of the biggest security threats list, it will make the job of security firms and professionals a lot more difficult.