Story image

What makes Locky and Cerber ransomware so good - and what about CradleCore?

10 May 2017

Since its discovery last year, the Locky ransomware has become one of the most notable forms of malware on the scene, constantly updating itself but still managing to use the same general distribution methods. And it shows no sign of going away, according to Trend Micro.

The company posted a blog this month in which it compared Locky tactics to those of the equally formidable Cerber ransomware - and how they have both evolved.

Locky has been on and off the radar, but the latest variant uses a Microsoft Word document with macros enabled to deliver its load.  Spam email spread a PDF file attachment. This attachment contains the macro-enable file, which then runs when a victim opens the file.

Meanwhile the Cerber ransomware is proving to be a more prevalent and difficult malware to deal with. It has evolved several times and has managed to defeat many sandboxes and antiviruses, including machine learning tools.

The latest version of the ransomware is spread through spam emails disguised as a courier delivery service, Trend Micro says.

Malicious Javascript files hide in the attachment, with three main functions: download and execute Cerber, create a scheduled task that runs the ransomware after two minutes, and runs an embedded PowerShell Script.

Trend Micro says that the fact that Cerber is able to use stealth and launch after a two minute delay means that is can dodge traditional sandboxes. 

It is also able to use “Windows firewall rules that block the outbound traffic of all executable binaries of security products installed in the user’s computer, limiting both detection and mitigation capabilities  of these applications,” the Trend Micro blog states.

The company is also quick to point out that Ransomware-as-a-Service (RaaS) traditionally prevented users from accessing the source code, but a new kit called CradleCore is changing all of that. 

It is being sold as C++ source code that features anti-sandboxing and offline encryption. It demands around 0.25 Bitcoins as a ransom.

While Trend Micro says that little is known about the CradleCore ransomware, the company suspects that because it is still distributed by spam and phishing, it shows the power of those delivery methods. 

Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
SAS announces US$1 billion investment in AI
"At SAS, we remain dedicated to our customers and their success, and this investment is another example of that commitment."
Two Ministers’ thoughts on blockchain in Oz
Minister Karen Andrews, and Minister Simon Birmingham have released a joint statement on the national blockchain roadmap and extra $100,000 funding.
IntegrationWorks continues expansion with new Brisbane office
The company’s new office space at the Riverside Centre overlooks the Brisbane River and Storey Bridge.
DXC subsidiary takes SAP energy industry partner award
Winners of the awards were selected from SAP’s A/NZpartner ecosystem and announced at the recent SAP A/NZ Partner Kick-Off Meeting held in Sydney.
NetApp and allegro.ai showcase an integrated solution for deep learning
Unlike traditional software, in deep learning, the data rather than the code is of the utmost importance.
Opinion: Moving applications between cloud and data centre
OpsRamp's Bhanu Singh discusses the process of moving legacy systems and applications to the cloud, as well as pitfalls to avoid.
Workflows should benefit people, not devices
It is important that, in digital transformation journeys, managers remember technology should complement, rather than overtake, employee talent and skillsets.