Best Security Search
Ransomware

Cerber Ransomware Viruses Spread Through TOR

A new malicious campaign has been discovered, it spreads the newer versions of the Cerber ransomware virus through the TOR anonymous network.

New Cerber Infections Now Possible Through TOR

Cisco Talos security experts have uncovered a new distribution technique that serves the Cerber ransomware 5.0.1 virus to various targets.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The new campaigns did not use the traditional professionally designed emails with legitimate signature blocks and other important identification information and social engineering tricks that lure the victims into downloading infected binaries. Instead they contained links that use the Tor2Web proxy service which allows Internet users to use resources located on the anonymous network. This allows Tor connections without the use of a dedicated client application that has to be installed and activated to access the contents. The URL’s contained in the body of the email messages use Google redirection which leads to the malicious payloads. They are hosted on the Tor network and access is made via the Tor2Web service.

The new tactics shows that the criminal operators are trying out new novel tactics to infect even more victims with the dangerous software. The level of sophistication with the newer ransomware attacks is very high and this only demonstrates the risk associated with spam email email messages.

Like the Tor network Tor2Web operates using volunteer servers and an open community of both organizations and individuals. We remind you that the Cerber ransomware virus malware family and especially the 5.0.1 strain are very damaging to the compromised machines. Upon infection it encrypts target user data using the AES cipher and extorts the owners for a ransomware payment to restore their files.

We would like to remind you that the Cerber 5.0.1 virus also deletes the Windows Volume Shadow Copies of the compromised hosts. Upon infection the server contacts about 1090 other hosts and two control domains. This gives an indication that the criminal operators have managed to create an extensive network of infected computers and control servers. The remote servers host other malicious payloads as well which makes the Cerber 5.0.1 very dangerous to potential victims as they may be hit with multiple threats in the same time.

The Cerber 5.0.1 ransomware crafts multiple files which are executed and then deleted to remove any traces of it. Other dangerous behaviour includes the manipulation of browsers (proxy settings modifications) and various privilege elevations.

To learn more about it read our in-depth removal guide.

We anticipate newer versions of the Cerber ransomware which may provide even more damaging and dangerous infection methods.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.