Best Security Search
Ransomware Security News

Cerber Ransomware Holiday Spike – Is File Decryption Possible?

Various security reports that there is a very large spike in the Cerber ransomware attacks during the Holiday season, read on to find out more about the threat.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Cerber Ransomware Campaigns Surge

One of the most dangerous ransomware families this year is Cerber and because of its devastating impact the campaigns that launch attacks on victim never end. This holiday season we have witnessed a large surge of attacks that deliver the primary payload of this malware and as such it is important to notify all of our readers of the dangers it poses.

We remind you that we have created in-depth removal guides for all strains of the Cerber family.

Various hacking groups have been able to obtain the Cerber code and use it against all types of computer targets – from individual users to large businesses and even corporations. In this article we will present the details about the new campaigns.

The Microsoft Holiday Cerber Ransomware Alert

One of the recent reports that indicated the surge of Cerber ransomware activity came from Microsoft. The company’s Malware Protection Center warned that their researchers have identified new signatures that deliver spam email messages. The emails used various social engineering tricks that impersonated famous e-commerce sites such as Amazon, eBay and others in the hope of infecting the victims with the dangerous virus. The new wave of spam deliver the messages with malicious attachments which carry the Cerber ransomware payload. They are placed in password-protected archives which have the passwords in the body of the message.

Other ways of spreading Cerber delivered by the new spam campaign is the use of software vulnerabilities. Various exploit kits have targeted older versions of Adobe Flash. This is why users should always use the latest versions of all installed software. There have been some newer additions to the ransomware strain.

The carried Cerber payloads feature removed version information which makes it harder for security solutions to remove infections without updated definition sets. The new versions of the virus feature two additional sets of IP ranges which are used in contacting the remote malicious C&C servers. In addition a TOR proxy site has replaced the usual payment gateways. The security experts also note that the virus now prioritizes Office folders that contain sensitive and critical files. This likely means that the criminal operators target enterprise environments.

Second Wave of Cerber Ransomware Email Campaign

This Cerber ransomware wave used a variety of different email servers that feature malicious links that impersonate legitimate sources. Some of the example subjects include the following:

  • Domain Abuse Notice: xxx.xxxx
  • Alert – Your Credit Card has been changed

Its important to note that the criminal operators have used legitimate looking domains, headers and body messages. Here is an example of the Domain Abuse Notice message:

Dear Domain Owner,

Our system has detected that your domain: XXX.XXX is being used for spamming and spreading malware recently. You can download the detailed abuse report of your domain along with date/time of incidents. Click here.

We have also provided detailed instructions on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also the possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:

1. Download your abuse report.
2. Check your domain abuse incidents along with date and time.
3. Take few simple step for prevention and to avoid domain suspension.

Click Here to Download your Report

Please look into it and contact us.

Best Regards,
Domain Abuse Dept.
ICANN Inc.
Tel.: (139) 756-26-91

This is an example of a counterfeit ICANN email. The contained links feature infected Microsoft Office documents that contain the Cerber ransomware payload.

The other type of email message that is carried by this malware campaign is a fake credit card notice.

Here is an example:

Dear Customer,

We have just processed your payment against Invoice no.KW1521 ( Download Receipt).
The payment details are:

Order Value: $1500
Sales Tax: $189
———————
Total Amount Received: $1689

For Payment details and Order information, please download Invoice copy and payment receipt from here: CLICK HERE

Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the main Billing Dept.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,
CC Billing Dept.
Tel.: (139) 723-31-04

RIG-V and Pseudo-Darkleech Exploit Kit Cerber Ransomware Holiday Campaigns

The other type of attack campaigns that carry the Cerber ransomware threat is a Pseudo-Darkleech script hosted on hacked sites that use the RIG-V exploit kit to deliver the virus. Adobe Flash Player exploits are also associated with this wave as well.

Two distinct versions of the exploit kit have been detected by the malware researchers:

  1. RIG-V attacks – This exploit kit uses new URL patterns and RC4 encryption for the payload. It is used in the Afraidgate, EITest, and pseudoDarkleech campaigns.
  2. RIG-E attacks – This is an older variant that uses old URL patterns and RC4 encryption for the payload. It is alo known as the Empire Pack and is used in the ElTest campaign .

We remind you that we have created in-depth removal guides for all strains of the Cerber family.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.