Microsoft Reports Cerber Ransomware Staging Holiday Onslaught

Microsoft security researchers warn that after a brief quiet period, the Cerber ransomware family has reemerged with a vengeance to target holiday shoppers and enterprise business data files.

Holiday Ransomware Campaign 2

The holidays are no time to drop one's guard when it comes to cyber-security.

After tracking the popular Cerber ransomware family and noticing a decline in activity earlier this month, the Microsoft Malware Protection Center warns that attackers have ratcheted up their efforts during what is considered a slow period at many businesses, but a prime shopping time for online bargain hunters.

Microsoft's security researchers have uncovered a pair of new campaigns, including a flood of new spam that exploits the uptick in ecommerce transactions during the season.

The Cerber ransomeware is constantly evolving. Not content with encrypting user files and holding them for ransom, last month Cerber's authors expanded into databases and files associated with critical business applications.

Version 4.1.5 of the ransomware was coded to seek out Microsoft Access, MySQL and Oracle database files. In some cases Cerber shuts down running databases so that the malware can encrypt files in use.

In the latest wave, attackers are spamming inboxes with malicious attachments that download and install the ransomware. The malware masquerades as password-protected zip files. The passcode is typically provided in the body of the email, which is another red flag for potential malware, that purportedly contains online order and delivery details.

Attackers are also using an exploit kit to spread Cerber over malicious and compromised websites. The sites use vulnerabilities like those found in older versions of Adobe Flash to download and execute the latest version of Cerber on a victim's machine. This tactic is proving particularly effective in Asia and Europe, telemetry data from Microsoft's Windows Defender anti-malware software shows.

Adding a new wrinkle in Cerber's development, version information has been removed from the ransomware's configuration data, making it somewhat tougher to track its evolution, observed Microsoft security specialists Rodel Finones and Francis Tan Seng, in their exhaustive analysis of the threat.

Cerber is also casting a wider net, targeting an additional 50 file types, while excluding .cmd, .exe. and .msi, a first for this type of ransomware.

Cerber also now prioritizes Office folders containing critical files, suggesting that attackers are targeting enterprise environments. Corporate networks are overflowing with sensitive information and business-critical software, adding urgency to efforts to protect against ransomware and its damaging effects.

Behind the scenes, two sets of additional IP address ranges have been added to the command-and-control server setup used by the malware to communicate with attackers. Finally, a Tor proxy site has replaced the three proxy sites that formerly provided a payment site. The privacy-enhancing Tor (The Onion Router) network employs encryption and relays to conceal an Internet user's location.

"For cyber-criminals, releasing a new version of malware not only increases [the] likelihood of evading antivirus detection; it's also a way of increasing the complexity of malware," the Microsoft security researchers noted. "Cerber's long list of updated behavior indicates that the cyber-criminals are highly motivated to continue improving the malware and the campaigns that deliver it."

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...