Ransomware developers added DDoS capabilities to their malicious payloads, researchers said.
This all comes about after researchers from Invincea found a malware sample that appeared to be a modified version of an older threat, the Cerber ransomware.
Other than the file encryption and screen locking capabilities seen in most ransomware families, this threat also comes with an additional payload, which, when put under observation, seemed to launch network packets toward a network subnet.
This type of behavior is specific to DDoS bots, and this was the first time something like this bundled with ransomware, researchers said.
The sample Invincea analyzed ended up detected by 37 out of the 57 antivirus engines on VirusTotal, and spreads via weaponized RTF files.
The documents rely on user activating the Macro feature in Office, which then executes a malicious VBScript that downloads and runs the malware.
The ransomware executes first, which encrypts the user’s data and then blocks their access to the computer by locking the screen. After this sequence, a second binary called 3311.tmp also executes and starts sending a large amount of network traffic out of the infected computer.
“The observed malware seems to serve multiple purposes. First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack,” Invincea’s Ikenna Dike said in a blog post.
“The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.”
By adding DDoS bots to the ransomware payload, the crook can squeeze some network traffic out of non-paying victims and use it as part of their side-operation.
Additionally, if the user doesn’t wipe their system clean, even if they pay the ransom, there’s a large chance the DDoS bot will remain on the infected computer.