According to Heimdal Security, this ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems. It begins by compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims’ internet traffic to a Cerber gateway which is known as Pseudo Darkleech, which is a type of malware infection created to add a strong obfuscation layer and keep detection rates low.
The malicious script injected into these websites is the Nemucod generic malware downloader, which is used to download and run Cerber ransomware. The attackers are exploiting vulnerabilities in Internet Explorer, Microsoft Edge, Flash Player and Silverlight to infect unsuspecting users.
A main hallmark of the attack is the fact that the cyberattackers are choosing to incorporate so many types of malware in a single attack—the aforementioned cocktail of Nemucod, DarkLeech and Cerber. The goal is to make the infection stealthy, so it can’t be detected and stopped by antivirus; and, to make the infection stick (persistence) until it can encrypt all the victim’s data and get to the point where it can ask for ransom and the victim feels compelled to pay for it.
Pseudo DarkLeech uses hidden iframe injections and randomizes elements to enable the malware to operate covertly. And Cerber, which was discovered in March 2016, is a professionally coded ransomware that provides customization options…Like Locky, Cerber appears to have access to the Dridex spam network, meaning it can be pushed out quickly in large spam campaigns.”
To avoid becoming a victim of ransomware, users should keep their software up to date, create and maintain at least two backups of data, in different locations (in the cloud + on an external drive), and enhance browser protection.
To avoid becoming a victim of ransomware, users should keep their software up to date, create and maintain at least two backups of data, in different locations (in the cloud + on an external drive), and enhance browser protection.
Source@InfoSecurity Group
