A Cerber ransomware variant ended up upgraded with multipart arrival vectors and new type of file encryption.
Cerber is one of the leading ransomware threats out there where researchers in the first quarter this year found it to be in 87 percent of ransomware attacks.
In April 2017, Cerber reached its 6th version, said researchers at TrendMicro. The malware is generating millions of dollars in revenue for operators and developers, especially since it is distributed as ransomware-as-a-service.
This new version of Cerber sports multipart arrival vectors and reworked file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.
“Since its emergence in 2016, Cerber’s evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game,” said TrendMicro’s Gilbert Sison, threats analyst.
Adding a time delay in the attack chain enables the ransomware to elude traditional sandboxes, researchers said.
Cerber 6 has a routine for terminating processes to ensure encryption of files. Another addition is it checks on file extensions so it knows what files to avoid during the encryption process.
“Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing),” Sison said.