New malicious spam campaign stokes Cerber distribution

According to the virus researchers, Cerber currently stands in the third place among the most actively distributed ransomware viruses out there. It is outrun by Locky and CryptoWall, but its recent turn to the new distribution techniques suggests that Cerber developers are not planning to tag behind any longer. On November 24th, the researchers have discovered a new spam campaign that is actively spreading this ransomware via malicious links. These links are delivered to the user’s email inbox directly, accompanied by a short notice urging the potential victim to check them out. The hackers use various social engineering tricks to make these emails look as legitimate and trustworthy as possible, to ensure a higher system infiltration possibility. This technique has been proven especially successful, and most of the users get tricked into clicking these links that supposedly contain some important information, such as speeding tickets, official documents, online purchase confirmations, etc. As soon as the link is activated, the Google redirect service connects the victim to an anonymous TOR network from which the malicious virus payload is downloaded. It is interesting that the victim does not have to be TOR client as the hackers employ Tor2Web proxy service to initiate the infectious download. This makes this virus extremely difficult to detect and expose before it infiltrates the computer.

Cerber distributed via spam campaigns

The newest version of the virus Cerber 5.0.1 is activated via the MS Word document which contains a malicious script designed to enable Windows Powershell and download the Cerber 5.0.1 executable on the infected PC. Once the virus is on the computer, it can start encrypting documents, pictures, video and audio material, and any files that are included in its target list. This process may last from a few minutes to a couple of hours or even days, depending on the amount of the information stored on the infected device or network. After it is complete, the encrypted files are appended with random file extensions; filenames are replaced with jumbles of symbols and the contents of these documents become inaccessible. Unfortunately, it is virtually impossible to regain access to these files without indirectly supporting the cyber criminals which ask money for the data decryption key. Thus, it is better to try to avoid the attack rather than deal with its consequences later. So, we strongly recommend staying away from the shady emails with obscure subject lines such as “Hi,” “How are you,” “Howdy,” “Whats up” or “Hey” which feature suspicious links and push you into clicking them. Also, don’t forget to keep backup copies of your important files and you will always have a recovery option in case of an emergency.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions