Application security, Threat Management, Incident Response, Malware, Network Security, TDR

Variant of Cerber ransomware features bot capabilities that could launch DDoS attacks

Pay for ransomware, and the nightmare might not truly be over. You might be asked to pony up a second time. And regardless of whether or not you pay, your machine may be potentially turned into a mindless bot that generates fake traffic used in distributed denial of service (DDoS) attacks. 

The latter scenario, a ransomware-DDoS hybrid attack, was recently uncovered by researchers at endpoint security solutions company Invincea. According to the company's blog, the ransomware that sparked such concerns is a variant of Cerber, currently distributed via a weaponized Microsoft Office document. According to Invincea, this file-less attack method is popular among certain cybercriminals because it resides only in RAM memory, not on a hard drive, so traditional anti-virus solutions have difficulty detecting these incursions.

Targets of this Cerber campaign are apparently being sent phishing emails containing a Rich Text Document attachment, which upon opening prompts users to enable macros so the content can be viewed in Microsoft Word. However, these particular macros are comprised of malicious VBscript, derived from Visual Basic programming language. Once activated, the macros create an elevated command shell on the host and execute further obfuscated code that triggers the downloading of the main payload.

The Cerber ransomware encrypts the user's file systems and displays a ransom note, but it also engages in some atypical behavior. Specifically, Invincea notes that the malware has the host machine “call out” to a large subnetwork of IP addresses, and then appears to flood it with packets using UDP (the User Datagram Protocol).

“It is unknown, but assumed that there was a server listening for these [data packets]. But using UDP in this fashion caused a wave of ICMP port unreachable messages to come back to the infected host,” stated Patrick Belcher, director of malware analysis at Invincea, in an emailed interview with

However, “If the Cerber author had instead spoofed the source IP of the infected host to be a third party's IP address, all of those ICMP messages would have been sent to the spoofed host — say a website or corporate gateway. Multiply this by the thousands that were infected at once, and it becomes a DDoS function.”

So far there does not appear to be any proof that this ransomware has actually launched a DDoS attack in the wild using the above described technique. Even so, this discovery theoretically means that while a legitimate business might be unable to access various network endpoints due to the ransomware's encryption, these very same endpoints can still be leveraged by the bad actors to attack additional victims via DDoS.

“We foresee this becoming a feature of future ransomware. Such ransomware could stay encrypted and online performing such attacks, and whether or not the flooding of traffic would be turned off if the ransom is paid is speculation,” stated Belcher.

Lane Thames, a software development engineer and security researcher for cybersecurity software company Tripwire, told via email that “computer security has been and will continue to be a game of cat and mouse. Cybercriminals are constantly reacting to security best practices and change their approaches using techniques to avoid counter measures and detection tools. This research, however, does not suggest a cat-versus-mouse approach. Instead, it illustrates a case where cybercriminals are evolving their payloads and techniques in order to maximize profits.”

However, not everyone sees the value proposition in it. “I'm not sure what the value is there, unless it's just to be a nuisance,” said Phil Lambert, director of information security at oil, gas and power solution provider Granite Services International Inc., who recently spoke on the topic of ransomware at SC Congress in Atlanta. “But it's also possible this is the first go-around for this particular variant and they're going to enhance its capabilities later for something else,” perhaps a plan experts are not yet privy to, he added.

“I can foresee several scenarios where a DDoS component could be used as additional leverage,” said Belcher. “For instance, 3,000 endpoints get encrypted and begin to DDoS Company Z. The ransomware screen would [then] urge the victims to tell Company Z to pay a large ransom so all 3,000 endpoints could be decrypted. It would have the effect of making Company Z look like the real bad guy and not the malware author.”

Stu Sjouwerman, CEO of security awareness training firm KnowBe4, stated in a company blog post that “Adding DDoS capabilities to ransomware is one of those 'evil genius' ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. It looks like this is the first case where a cybermafia has bundled ransomware with a DDoS bot, but you can expect it to become a fast-growing trend.”

Sjouweman recommended several actions to address this new threat, such as deploying secure email gateways with URL filtering, patching all system endpoints, and checking firewall configurations to ensure that no criminal network traffic is allowed to leave the network.

Lambert's session at SC Congress was devoted to the online debate over whether ransomware victims should ever pay to get their files back. This debate resurfaced again when reports surfaced that Kansas Heart Hospital in Wichita last week became one of the latest health care institutions to fall victim to a ransomware attack.

In this case, according to KWCH12, the attackers did not return full access to the hospital's files after the initial ransomware was paid. Instead, they asked for a second payout. This time, the institution refused. “No longer was this a wise maneuver or strategy," said the hospital's president, Dr. Greg Duick, in the KWCH12 news report. The hospital stated that damage was minimized due to advanced planning in anticipation of a potential ransomware incident, and that patient treatment was not adversely affected.

Asking for a second ransom is considered an unusual tactic because attackers know if they garner an untrustworthy reputation, future victims may not elect to pay up at all. “[There is] almost a pseudo reputation that they foster and want to maintain so their revenue stream continues,” said Lambert of the attackers. “I'm surprised this particular group is trying to milk the cow more than once,” he added, suggesting maybe the adversaries got greedy, believing their victim had “deep pockets.”

“From my perspective, you shouldn't pay,” said Lambert.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.