The server used in a Cerber ransomware campaign discovered in June has been shut down, through a coordinated effort involving the security research firm FireEye, the Computer Emergency Response Teams in the Netherlands (CERT-Netherlands), and web hosting companies.
The malicious spam email campaign, discovered by FireEye, used Microsoft Word attachments containing macros that launched a command and control Cerber installers. The Cerber command and control was shut down “within hours of detecting the activity”, according to a blog post by FireEye malware researchers Ankit Anubhav and Raghav Ellur. “With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware,” the researchers wrote.
The macro writes a VBScript into memory when a victim opens the Word document and executes the script.
The campaign appears to be related to a similar Cerber ransomware campaign discovered by researchers last week. The variant used malicious Office documents containing macros to infect Office 365 users. The payload behavior discovered in that campaign “is consistent with the variants of Cerber we have observed,” wrote Anubhav, in an email to SCMagazine.com.
Anubhav noted that ransomware servers “are now shifting mostly to hacked legitimate sites and well-known cloud services” in order to bypass URL blacklisting techniques and attribution attempts.
The latest strains of Cerber ransomware are a reminder of the vulnerabilities of cloud storage systems, industry pros told SCMagazine.com. Ransomware that spread through SaaS applications including Google Apps and Office 365 “was spawned by the syncing of files on a desktop, laptop or mobile device to the cloud-based file and storage system,” said Jeff Erramouspe, GM of EMC's Spanning unit. “From there, the malware can be transmitted to other employee, customer and partner data as well since many of these systems are collaborative in nature.”
“Ransomware have migrated to ‘ransomware-as-a-service' offerings, Ayehu CEO Gabby Nizri wrote in an email to SCMagazine.com. “Ransomware is no longer a hackers' war game – it's a business model.”
One analyst referred to recent ransomware trends as a return to ‘oldie but goodie methods.' Ramece Cave, Solutionary research analyst II, wrote in an email to SCMagazine.com, “Macros have been a long used attack vector and the expansion into cloud based transportation should not be a surprising adaptation.” Macro exploits leverage existing WMI and PowerShell infrastructures to “grant the savvy power user or malicious actors access and possibilities only limited by their imagination,” he added.
“I expect this is just the beginning of more strains targeting SaaS apps directly,” Erramouspe said.