Malwarebytes Labs conducted an analysis of the Cerber ransomware and discovered several customizable functionality settings, according to a blog posted by Malwarebytes programmer Hasherezade. The ransomware does not load if it detects that the user is located in certain “blacklisted” countries, or contains specific languages, file names or directories.
In speaking with SCMagazine.com, Malwarebytes Labs senior security researcher Jerome Segura said the blacklisted geographies – most of which are Eastern European countries – provide “an indication of where the malware originated.” However, he said Malwarebytes Labs has not seen an indication that the ransomware is connected to the famed APT28 group, which is widely believed to be tied to the Russian government.
The recent attacks demonstrate a proliferation of ransomware attacks targeting institutions in the U.S. and Western nations, as recent reports have warned. Last week, the Institute for Critical Infrastructure Technology (ICIT) released a study that predicted previously exploited vulnerabilities will soon be utilized to extract ransom. In a separate report, Dell noted that the number of unique malware attacks increased 73 percent from 2014 to 2015.
Segura noted that while the typical ransom demanded was, until recently, about 1 Bitcoin (as of Monday, approximately $414), he has seen ransomware attackers do more reconnaissance on victims to determine whether they can demand a higher ransom. Ransomware will soon seek to identify the user, which “can be done programmatically with code,” he said.
An earlier version of this article incorrectly stated that the Cerber ransomware targets Apple OS X.