Clever Cerber ransomware attack spotted

Researchers at security specialist Forcepoint have disclosed details of an email attack distributing the Cerber ransomware. The blog was posted by Nicholas Griffin and is entitled Cerber Actor Distributing Malware Over E-Mail Via WSF Files.

According to Griffin: “Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros. This is the first time that we have seen Cerber distributed via the use of WSFs.” The attacks follow a common pattern of pretending to be an invoice with the remittance details attached. Increasing awareness of this type of attack means that a lot of recipients will ignore the malicious attachment. What they won’t expect is that the unsubscribe link at the bottom of the email is also booby trapped and will also download the malware.

There are a couple of interesting things in the blog that will surprise a lot of people. The first is that the attackers are using Windows Script files. According to the blog they are executable files that when clicked will be executed by the Windows wscript.exe utility. It is unlikely that many corporate builds will have removed the wscript.exe file and a look at  a couple of dozen machines in a local computer store showed that the file is present in all the computers that they sell as part of the basic Windows installation. This means that the chance of users getting infected is higher than normal.

The second thing that makes this interesting is the claim by Forcepoint that: “The uncommon use of a double-zipped file containing a WSF may fool some security solutions that rely on machine learning and/or heuristics.” It will be interesting to see how quickly vendors such as Cylance and others in this space respond to this claim.

Ransomware as a Service

What is interesting is the claim that Cerber is being distributed via Ransomware as a Service (RaaS). Forcepoint believe that this is a clever move by cybercriminals to compartmentalise all involved. Should the RaaS provider be taken down it would not impact those who have created campaigns to distribute it. The same is true if the Cerber authors are located and arrested. This process also means that everyone involved gets some part of the eventual payment for unlocking files making it a very profitable service.

The ransomware itself uses RC4 and RSA File Encryption which means that users have little chance of being able to decrypt files without paying the attacker. The way that the encryption is design means, according to Griffin that the ransomware doesn’t have to call home in order to encrypt files. However it seems that the authors were not as clever as they thought. Griffin says: “….we have determined that there are some weaknesses in the encryption implementation which would allow for partial file recovery. We are sharing our research privately with a small number of trusted partners and do not intend on releasing this information publicly.”

This is yet another attack that appears to stem from Russia. According to the Forcepoint press release the RaaS is hosted inside Russia. As the fallout from the Russia/Ukraine situation continues, the number of cyber attacks from inside Russia that are being reported by security researchers is continuing to rise. This is not just about political attacks and hacktivism but the opportunism of criminals taking advantage of the increased number of tools and toolkits that are suddenly flooding the Russia-based hacking forums.

Conclusion

This latest ransomware attack comes less than a week after the authors of TeslaCrypt published the universal decrypt key online, closed the project and said sorry to all those they infected. What is important to remember is that ransomware has become the most lucrative form of malware around. With the evolution of RaaS where anyone can craft an attack and begin to make money the barrier to use has also been substantially lowered.