14 DAY TRIAL // Ransomware developers seem to have found another way to monetize their operations by adding a DDoS component to their malicious payloads.
Security researchers from Invincea reported this past Wednesday on a malware sample that appeared to be a modified version of an older threat, the Cerber ransomware.
The malware analysis team that inspected the file discovered that, besides the file encryption and screen locking capabilities seen in most ransomware families, this threat also comes with an additional payload, which, when put under observation, seemed to be launching network packets towards a network subnet.
This type of behavior is specific to DDoS bots, and this was the first time something like this was seen bundled with ransomware.
Bastard Cerber ransomware spread via weaponized RTF documents
The sample Invincea analyzed isn't very stealthy, being detected by 37 out of the 57 antivirus engines on VirusTotal, and spreads via weaponized RTF files.
The documents rely on user activating the Macro feature in Office, which then executes a malicious VBScript that downloads and runs the malware.
The ransomware is executed first, which encrypts the user's data and then blocks their access to the computer by locking the screen. After this sequence, a second binary called 3311.tmp is also launched into execution and starts sending a large amount of network traffic out of the infected computer.
Surely to become a trend
"The observed malware seems to serve multiple purposes. First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack," Invincea's Ikenna Dike explained.
"The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."
Adding DDoS capabilities to ransomware is actually not a bad idea, on the malware operator's part. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years.
Even if a lot of people get infected with ransomware, not all of them pay to unlock their files. By adding DDoS bots to the ransomware payload, the crook can squeeze some network traffic out of non-paying victims and use it as part of their side-operation.
Additionally, if the user doesn't wipe their system clean, even if they pay the ransom, there's a large chance the DDoS bot will remain on the infected computer.
While this may have been the first case where crooks bundled ransomware with DDoS bots, expect it to become the norm in the upcoming months.
UPDATE: There are some discussions in the malware analysis community that Invincea might have misinterpreted the ransomware's UDP traffic. Severeal researchers are saying that the UDP traffic blasting from infected victims is nothing more than a data stream carrying statistics, and has nothing related to DDoS attacks.