Ransomware writers adopt cloud services

Cyber- criminals have noticed the lucrative opportunities for wrong-doing in leveraging cloud services and evolved new techniques to their benefit.

Ransom note
Ransom note

As with all dual use phenomena, cyber-criminals have noticed the opportunities for wrong-doing inherent in cloud services and evolved new techniques to their benefit. 

Recently, security researchers have spotted two kinds of ransomware, Cerber and cuteRansomware, using cloud services as a medium to deliver spam emails or host decryption keys and command-and-control functionality.

A new variant of Cerber targets Office 365 users via malicious macros laced into office documents. This ransomware is able to encrypt 442 file types with a combination of AES-265 and RSA. It has been discovered and named RANSOM_CERBER.CAD by Trend Micro.

This family of ransomware has been constantly updating tactics to infect victims' systems. Similar to previous variants of Cerber, it will drop several downloaders to fetch malicious content from the Internet upon activation of a macro.

cuteRansomware has taken a step further and used the well-known Google Docs service to deliver ransomware and avoid detection. It is an enhanced Chinese version of my-Little-Ransomware, previously published on GitHub. cuteRansomware was modified to send collected data to a Google Doc.

Cerber's latest variant drops a VBS file that reads a ransom note by a computer-generated voice. This feature has not been widely seen among ransomware families. But, its capabilities are not restricted to encrypting 442 file types. Cerber modifies various available counter-measures used when users encounter ransomware threats. The ransomware deletes shadow copies, disables Windows repair and also modifies the machine's Internet Explorer Zone Settings.

cuteRansomware goes after quite a small number of file extensions including .bmp, .png, .jpg, .zip, .txt, .pdf, .pptx, .docx, .py, .cpp, .pcap, .enc, .pem, and .csr. The extension of an encrypted file will be replaced by “.encrypted” in Chinese.

“What makes cuteRansomware interesting is the usage of a well-known cloud service provider acting as the command and control server.  This instance is using Google Docs to maintain the encryption and decryption keys for each victim.  While unique, hosting the keys on Google Docs is a short-term solution,” Travis Smith, senior security research engineer at Tripwire wrote in an email to SCMagazineUK.com.

“The use of cloud services like Google Docs may be a signal about attacker intentions to use cloud services in the future. Also, we may even conclude that ransomware authors will abuse cloud services, not only for storing keys but also for their command-and-control (C&C) communications,” Umesh Wanve, staff engineer at Netskope wrote on a blog post.

“As with any piece of ransomware, it's important to follow best practices such as keeping backups of important files, even if they are stored on the cloud.  Just because files are stored in the cloud, doesn't mean that they are safe from the greedy grasp of ransomware,” Travis added.