A study reveals, the Cerber ransomware attacks have been showing an upward trend continuously. The ransomware mainly exploits a security flaw that targets PCs running on Windows. When infected, the data on infected computers becomes encrypted with AES encryption and demands ransom in exchange for information.
Attackers these days are relying more on spam network for making the Dridex financial Trojan a serious threat. Cerber distribution method is mostly via exploit kits, with Magnitude and Nuclear Pack exploiting a zero-day in Adobe Flash Player (CVE-2016-1019). However, FireEye reports reveal something more important – It suggests Cerber is now part of a spam campaign linked to Dridex botnets.
Dridex is a financial Trojan that targets the acquisition of financial details of a user. Chief mode of distribution is Dridex botnets believed to be the force behind massive spam campaigns since February.
FireEye security analysts in a research blog writes:
“By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky”.
According to FireEye, Cerber ransomware follows the same spam framework as Dridex. How is this done? Emails are sent with an attachment disguised as an invoice. It is this invoice that features malicious VBScript. Once the user opens the document a process is initiated that injects the virus and avoids detection.
It, then targets email, Word documents, and other files appending encrypted files with the ‘.cerber’ file extension. Victims are prompted to visit various versions of the “decrypttozxybarc” domain.
If the threat of Cerber is not taken seriously it will emerge as a serious problem similar to Dridex and Locky ransomware. As such, it is better to follow old saying ‘Prevention is better than cure’. Users should be to be cautious when opening documents and other files from unknown senders.
UPDATE: Check Point has released a Cerber Ransomware Decrypter Tool.
Read: What to do after a Ransomware attack.