Ransomware Recap: Oct. 14, 2016
Trend Micro researchers recently uncovered three malvertising campaigns and a compromised website campaign leveraging one of the most prominent and fast-evolving ransomware variants of late—Cerber. An entry, published early last week, follows the trail of Cerber version 4.0 (detected as RANSOM_CERBER.DLGE) in the said ongoing campaigns, shortly after the release of version 3.0.
Security researcher Kafeine provided an advertisement that highlights the upgrades and marked improvements of the ransomware family in its latest version, including the noticeable shift of its ransom notes from html format to .hta. The use of randomly-generated strings as file extensions for each successful infection is also a new feature, veering away from its earlier variants' use of the extension .cerber3 on encrypted files. According to Trend Micro researchers, the latest Cerber variant has been spotted in the wild since the onset of October, and has since gained traction among cybercriminals.
This development attests to our recently-published threat report elaborating on the continuing reign of ransomware, which sheds light on details on the continuous adoption of exploit kits and ransomware families targeting newer vulnerabilities.
[Related: A look into the exploit kit landscape after Angler]
Since the beginning of October, PseudoDarkleech, a campaign known to operate through compromised websites, shifted to Cerber 4.0 after previously being sighted distributing CrypMic and CryptXXX.
Older malvertisement campaigns have also been observed turning to Cerber 4.0, similar to the way another identified campaign utilizes the Magnitude exploit kit—whose history is no stranger to Cerber. Another campaign, which makes use of an old casino-themed fake advertisement, was discovered to have shifted gears. It used to deliver Andromeda malware (detected by Trend Micro as Neurevt), but started using the RIG exploit kit to drop Cerber 4.0 in early October.
Much more recently, at the onset of October, a new malvertisement campaign was seen distributing Cerber 4.0—merely a month after it was found dropping Cerber 3.0 using the Neutrino exploit kit. Neutrino, however, recently closed shop, with the team behind it reportedly putting it “out of service”.
The same week, a closer probe into the activities of Cerber led Trend Micro researchers towards the discovery of a new method of infection used by its latest version. This time, it involves the use of an infected PDF file (detected by Trend Micro as PDF_CERBER.A) with an embedded JS script.
A message box appears and tricks a would-be victim to open the malicious document. Once opened, the JS script gets dropped and prompts the download of the latest Cerber version.
Here are other notable ransomware variants reportedly seen over the past week:
EXOTIC
According to reports, this ransomware appears to be still in development, with two other variants observed to have come from the same group of perpetrators. The other two variants display an image of German dictator, Adolf Hitler. Another Hitler-influenced ransomware, named Hitler, was also spotted to have resurfaced recently. However, no links between these similarly-themed variants can be found as of this writing.
APT Ransomware v2.0
VENIS
To defend against ransomware, a multi-layered approach is vital to make sure that all gateways of compromise are secure from this ever-evolving threat. A solid back-up strategy can also mitigate the potential damage of a successful infection.
Ransomware Solutions
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.