Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Russian Ransomware Encrypts Your Files and Then Speaks to You
#1
Cerber ransomware distributed as a Raas service

The latest addition to the ransomware spectrum is a new threat called Cerber that encrypts users' files and then provides a TTS (text-to-speech) feature that reads out the ransom note.

First signs of Cerber infections appeared last week, and according to security firm SenseCy, the ransomware is the product of a team of Russian coders who are advertising it as a RaaS service via underground hacking forums in Russia.

RaaS stands for Ransomware-as-a-Service and is a new business model for ransomware operators, in which they provide ready-coded ransomware and allow other criminals to distribute it via spam and spear-phishing campaigns. The original coders take a small percentage, but only when the victim pays the ransom.

It is unknown if crooks currently spreading the recent wave of Cerber ransomware are using malvertising or spam campaigns.

Cerber intentionally avoids Russian-speaking countries

Security researchers that took a look at the Cerber code said it was specifically built to avoid infections of users living in former Soviet countries.

Another kink in Cerber's operations is the fact that, before encrypting files, the ransomware shows an error prompt through which it fools the user into restarting the computer. The ransomware makes the PC restart in "Safe Mode with Networking" and then forcibly restarts the computer again in normal mode.

After this forced restart, Cerber starts encrypting files with an AES algorithm. The ransomware targets 380 file types, and during the encryption process, it scrambles the files' name and adds the .cerber extension at the end. Currently, the Cerber ransomware is undecryptable.

Cerber's ransom note speaks to you

Once the encryption process finished, the ransomware drops three notes in text, HTML, and VBS format in each folder where it encrypted data. The VBS ransom note, if opened, will recite the ransom note to the user.

The ransom note asks for 1.24 Bitcoin ($520 / €475), a sum that doubles after the first week. As usual, users need to pay the ransom in Bitcoin over a Dark Web URL (.onion domain).

The ransomware was discovered by two independent security researchers, @BiebsMalwareGuy and @MeegulWorth, and was analyzed by researchers from Bleeping Computer and Malwarebytes.

Source
Reply
#2
Tarek, the source of infection is known?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  WhitelistCloud By VoodooShield Drag & Drop Files to Analyze 1-10 files 500 MB each mrtrout 0 465 09-19-2023 , 03:18 PM
Last Post: mrtrout
  Russian orgs heavily targeted by smaller tier ransomware gangs mrtrout 0 507 10-11-2021 , 10:09 PM
Last Post: mrtrout
  RansomEXX ransomware Linux encryptor may damage victims' files mrtrout 0 625 09-30-2021 , 09:52 PM
Last Post: mrtrout
  RegretLocker ransomware encrypts virtual machines mrtrout 0 987 11-13-2020 , 01:53 AM
Last Post: mrtrout
  Maze ransomware now encrypts via virtual machines to evade detection mrtrout 0 897 09-19-2020 , 08:30 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)