Batu69 Posted March 4, 2016 Share Posted March 4, 2016 Cerber ransomware distributed as a Raas service Cerber ransom note The latest addition to the ransomware spectrum is a new threat called Cerber that encrypts users' files and then provides a TTS (text-to-speech) feature that reads out the ransom note. First signs of Cerber infections appeared last week, and according to security firm SenseCy, the ransomware is the product of a team of Russian coders who are advertising it as a RaaS service via underground hacking forums in Russia. RaaS stands for Ransomware-as-a-Service and is a new business model for ransomware operators, in which they provide ready-coded ransomware and allow other criminals to distribute it via spam and spear-phishing campaigns. The original coders take a small percentage, but only when the victim pays the ransom. It is unknown if crooks currently spreading the recent wave of Cerber ransomware are using malvertising or spam campaigns. Cerber intentionally avoids Russian-speaking countries Security researchers that took a look at the Cerber code said it was specifically built to avoid infections of users living in former Soviet countries. Another kink in Cerber's operations is the fact that, before encrypting files, the ransomware shows an error prompt through which it fools the user into restarting the computer. The ransomware makes the PC restart in "Safe Mode with Networking" and then forcibly restarts the computer again in normal mode. After this forced restart, Cerber starts encrypting files with an AES algorithm. The ransomware targets 380 file types, and during the encryption process, it scrambles the files' name and adds the .cerber extension at the end. Currently, the Cerber ransomware is undecryptable. Cerber's ransom note speaks to you Once the encryption process finished, the ransomware drops three notes in text, HTML, and VBS format in each folder where it encrypted data. The VBS ransom note, if opened, will recite the ransom note to the user. The ransom note asks for 1.24 Bitcoin ($520 / €475), a sum that doubles after the first week. As usual, users need to pay the ransom in Bitcoin over a Dark Web URL (.onion domain). The ransomware was discovered by two independent security researchers, @BiebsMalwareGuy and @MeegulWorth, and was analyzed by researchers from Bleeping Computer and Malwarebytes. Quote #Cerber #ransomware uses a config in JSON https://t.co/FhGfr2usyZ - i.e. public key, countries blacklist, attacked extensions — hasherezade (@hasherezade) March 3, 2016 Cerber ransomware is offered as a service on a Russian closed forum @malwrhunterteam @BleepinComputer#SenseCy pic.twitter.com/W7Cnpywl6s — SenseCy (@SenseCyBlog) March 3, 2016 Article source Link to comment Share on other sites More sharing options...
vibranium Posted March 4, 2016 Share Posted March 4, 2016 Smart move, not preying on their own people, or they would be #R^@ed within a week. Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted March 4, 2016 Share Posted March 4, 2016 now this not good Link to comment Share on other sites More sharing options...
Chancer Posted March 4, 2016 Share Posted March 4, 2016 I wonder if Malwarebytes Anti-Ransomware will be effective against it. Link to comment Share on other sites More sharing options...
benjd91 Posted March 9, 2016 Share Posted March 9, 2016 Can they also it as a service to normal people? I'd like my files to be encrypted in a non reversible way, so that when prying eyes look at it, they can't make sense of it. Tho, they might buy the ransomware to get into people's files too.. Avoiding russian speaking countries? hmm, what if i name my files in Russian? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.