Home Malware News Cerber Ransomware Delivered Through Massive Flood of Spam Email During May 2016

Cerber Ransomware Delivered Through Massive Flood of Spam Email During May 2016

Posted: June 24, 2016

cerber ransomware delivery via spam email floodWe can't help but to mention the growing issues surrounding new ransomware as such threats continue to evolve into much more aggressive forms. Many older variations of ransomware have made their way back into the wild to bring about new functions and spreading methods such as Cerber ransomware, which was found to be spread in a massive flood of spam emails during the end of May 2016.

Cerber is among a recent rash of ransomware that has been updated to incorporate new features and proves to be more aggressive in its ability to spread onto vulnerable computers. A Russian team of developers are believed to be responsible for the creation and spread of Cerber. In their latest activities researchers from the security firm Check Point have taken notice to Cerber's spread path where it was part of a massive spam campaign that occurred during the end of May and once before during April the first half of April 2016.

During the time of the massive flood of spam sent containing Cerber ransomware, another threat was spread within the bulk a similar campaign. Locky ransomware, a threat known for extorting money from Hospitals and businesses, was also spread in mass. Much like Cerber, Locky ransomware was included within a ZIP archive embedded within the JS coding of the file. Moreover, the files sent in the massive spam campaign were mostly masked as Microsoft Office documents, a file type that is commonly used for spam attachments to hide its malicious intent.

Not only was the flood of spam containing Cerber ransomware similar to that of one that spread Locky, but the campaigns overlapped each other for their timeframes. With such a discovery, it has lead researchers to believe that the same Russian group of attackers are responsible for both floods of malicious spam. Though, there isn't any definitive proof of concept in the idea that the same perpetrators initiated both campaigns. However, such a coincidence could coincide with another idea that two groups of attackers ramped up their efforts at precisely the same time.

Computer users located in the United States, United Kingdom, and in Turkey, were noticeably the most affected by Cerber. The wave of spam that infiltrated many computer users' email inboxes all included ZIP file attachments with malicious JS files inside of the archive. Upon opening up the ZIP file and accessing the JS files, users would unknowingly install Ceber, much like how other popularized ransomware would install. Of course, as suspected, the latest variant of Cerber would actively encrypt files upon initialization but now asking for different amounts in Bitcoin to purchase a decryptor. In its most recent variant, Ceber initially asks for a Bitcoin price of 0.750 ($518) and after five days will then increase the ask amount to 1.500 Bitcoin, which is about $1.036 USD.

Along with our own thoughts, the security research firms ESET and Proofpoint have both agreed that we cannot connect the two spam campaigns of spreading Cerber and Locky, even though there is much to say otherwise. Until the attackers are brought to justice or they outwardly take claim to the proliferation of ransomware, we will never know who dished out a massive flood of spam to spread two of the most destructive computer threats around.

Loading...