Cerber offered as Ransomware-as-a-Service is making victims

Feb 13, 2017 15:33 GMT  ·  By

There’s a new outbreak of Cerber ransomware, security experts warn. What makes this one particularly nasty is that it was offered as a form of Ransomware-as-a-Service (RaaS), which means affiliates can join in order to distribute the malware, while the developers of Cerber earn a commission from each ransom paid by victims.

Security firm Cyren notes that the new outbreaks are being distributed using variants of Nemucod, which is one of the most popular malware distribution tools.

The attack is based on email messages featuring zipped JavaScript attachments. The filenames all have a pretty similar name, starting with “DOC,” followed by a ten digit string and ending with “-PDF.” The file, however, is none of these files, but a JavaScript attachment that will bring you a lot of trouble.

“Following more detailed analysis of the JavaScript attachment, we identified 2 major variants of Nemucod malware, each variant comprising hundreds of samples that all connected to a single distribution site hosting the ransomware. The two major variants are detected by Cyren as JS/Nemucod.GE!Eldorado and JS/Nemucod.ED1!Eldorado,” reads Cyren’s blog post.

Two variants, same goal

The JS/Nemucod.GE!Eldorado variant was first noticed late last year. The malicious code is camouflaged among random garbage code and is not hidden by any encryption. The malware code is really just a few lines that indicate the purpose of it all is to download a file and execute it. The file, titled “cer.jpg,” hints at its payload. Once downloaded, the .jpg extension is replaced with .exe, allowing the ransomware to go wild on your computer.

The second variant, JS/Nemucod.ED1!Eldorado, is hidden a little better among the garbage code. While the code is a bit longer, the behavior is the same and it even tries to download the same payload on the same site.

Once activated, Cerber encrypts a wide range of document and image files and places the ransomware file in each folder. The worst part about it is that there’s no free decrypter for Cerber, so no way to get out of it without paying unless you give up on your files. That being said, please stop downloading all the files you get over email, especially if they are from an unfamiliar source.

A few weeks ago, Microsoft was very proud of Windows 10 for being able to stop malware such as Cerber from infecting people's computers.