The Ransomware before Christmas, 2016 edition

This is a guest article written by Milena Dimitrova. The author’s views are entirely his own and may not reflect the views of IT Governance.

The weather outside is frightful and people are spending more time at home, where it’s warm and a cup of tea is right next to the laptop. It’s an endearing modern winter tale but it could easily turn into a nightmare – thanks to ransomware.

Security researchers have been observing a troublesome tendency that involves several ransomware families becoming extremely vicious right before Christmas. Winter 2016’s most recurrent and vile infections are apparently led by Locky and Cerber campaigns. Both ransomware families have very sophisticated encryption and are now caught up in a competition.

Coincidence or not, Cerber 5.0.1 recently appeared at the same time as Locky’s latest update.

Locky’s 2016 iterations

Let’s have a quick look at Locky’s timeline of infections.

Locky ransomware has been plaguing users’ files since February 2016. Since then, several iterations have been released. Researchers suspect that the vicious crypto virus was created by the gang behind Dridex, which is a sophisticated form of ransomware that hasn’t yet been decrypted. The same is true of Locky’s later releases.

Locky Ransomware 2.0 appeared in the spring of 2016 and was distributed via the Nuclear exploit kit. Several months had to pass before the next version of Locky started making rounds in the wild using the .odin extension.

The more temperatures drop, the more active Locky becomes, which is evident from the ransomware’s latest activities. October saw two of the most devastating editions of Locky, released hours apart. Thousands of users had their files held hostage by Locky’s .thor and .shit iterations. November has also witnessed two new updates of the crypto family: .aesir, followed by .zzzzz.

Despite the different names of the appended extensions, they all share many similarities, like the path of distribution. They are primarily distributed in spam campaigns or around social websites like Facebook.

Cerber’s 2016 iterations

Cerber first appeared in March 2016, quite close to the first release of Locky in February. This variant added the .CERBER extension to compromised files. Victims of the first Cerber were lucky – a third-party released a decrypter.

In August 2016, Cerber2 was released (the .cerber2 iteration). According to its victims, the Cerber2 ransomware didn’t encrypt  temporary files (.tmp), which made it possible to recover some recent .doc and .xls files by just opening their .tmp counterparts.

Shortly after that, Cerber3 was released (the .cerber3 iteration). Researchers discovered that this version used malware obfuscators to hide the ransomware’s files from real-time protections and firewalls. Then, in October, the Cerber README.hta file version came, followed quickly by several updates.

November has definitely seen an uptick in Cerber campaigns.

The current version appears to be distributed via the RIG-V exploit kit, which was also used in the fifth iteration. However, there are some modifications in the exploit kit itself, like altered web links and highly obfuscated infection code that allows an infection to go unnoticed by security software. Considering the high success rates of malicious campaigns relying on exploit kits for distribution, future Cerber versions will most likely continue to use them.

Back up your files to avoid Christmas ransomware

As time passes and we get closer to the winter holidays, Locky and Cerber operators are definitely preparing new spam campaigns carrying their malicious payloads. Users should avoid interacting with unknown links and email attachments. One thing that could be done is to check an unknown file with a security program before actually opening it. Maintaining anti-malware and anti-ransomware protection is also a must. But the single most important thing to do is conduct regular data backups. As it happens, prevention is the best measure against all kinds of viruses, be it the flu or ransomware.