Cerber ransomware on sale in Russian darknet with new scripting features

An email campaign facilitating the distribution of the Cerber crypto-ransomware has been tracked by security researchers at Forcepoint. Use of Windows Script files (WSFs) differentiates this campaign from earlier instances.

WSFs are executable with the Windows wscript.exe utility and can contain scripts from any Windows Script compatible scripting engine in a single file. After successful execution of the file, the Cerber crypto-ransomware will be downloaded on the victim's system.

Cerber ransomware is identified as a new Ransom-as-a-service (RaaS) offered on a Russian underground forum, according to a blog post by SenseCy. Previously, it has been distributed via exploit kits or email using a macro-enabled Word document files, but this is the first time WSFs have been used for this purpose, Nicholas Griffin, Forcepoint security researcher, said in a blog post.

The attackers lure victims into downloading the malware through two different methods. A double-zipped file with a WSF inside attached to the malicious email as well as an unsubscribe link at the bottom of the email which is linked to the same ZIP file.

In addition, heuristics-reliant security solutions might be bypassed due to the uncommon use of a double-zipped file with a WSF inside, invoice -related subject line, genuine-looking content, and an unsubscribe link.

Cerber has the encryption capability without communicating with associated command and control C&C servers, but, Griffin wrote that Forcepoint has found weaknesses in the encryption implementation which could be used to partially decrypt the files.

“Although the number of observed victims is low, the majority currently appear to be within the UK.  However, this is likely to change over time,” Griffin said.