A command and control server used for a recent ransomware campaign has been shut down. The Cerber ransomware C&C was used as part of a campaign involving malicious Word macros, similar to many ransomware campaigns discovered this year.
FireEye discovered the campaign and moved quickly to limit the damage caused. Within hours of discovering the Cerber ransomware C&C it was shut down by the Computer Emergency Response Teams in the Netherlands (CERT-Netherlands). The takedown of the C&C was part of a coordinated effort with FireEye and various web hosting companies that were hosting the installers used to infect computers with the ransomware.
The spam email campaign used to distribute malicious Word macros was discovered by FireEye on June 10, 2016. Three different FireEye customers and a total of 6 endpoints were attacked, although it is unclear exactly how many individuals were attacked – and infected – as part of the campaign. The servers used by this particular attacker are no longer active, although it is probable that the attacks will resume using different C2 servers.
This particular Cerber ransomware campaign targeted Office 365 users and involved malicious macros which loaded a VB script into the memory. The script executes Powershell (in hidden mode) which connects to a website hosting the ransomware which downloads the malicious files. Cerber ransomware currently encrypts 294 different file types including images, office documents, database files, wallet files, and ibank files formats, among others.
As with many other ransomware campaigns, legitimate websites are compromised by attackers and are used to host the ransomware. By loading the ransomware onto legitimate sites it makes it easier for the attackers to avoid URL blacklisting techniques. Cerber also includes a number of features to evade hash-based malware detection methods.
Macros were a popular way of infecting computers with viruses a decade ago, yet they fell out of favor with attackers until recently. Now the attack method is being used with increasing frequency. The attacks succeed because many companies allow macros to run from internet sourced office files. Since macros are often used by businesses, preventing macros from being run is not practical or possible.
It is possible to reduce the risk of Cerber ransomware infections using advanced spam filtering solutions to prevent the malicious emails from being delivered to end users. Training employees not to open files that have been sent via email by unknown recipients can also be effective. All employees should be instructed never to allow macros to run unless they come from a trusted source.