The SANS Internet Storm Center has released a statement that says the Blank Slate spam campaign which was first discovered in July last year is now being employed to spread Cerber ransomware, rather than previous favorites Locky and Sage 2.0.
In most cases, emails used to distribute ransomware use a variety of different social engineering techniques to fool end users into clicking on the email attachments and infecting their computers. However, the Blank Slate spam campaign uses simplicity. The spam email messages include no text, hence the name ‘blank slate’.
The email messages include a double zip file attachment. A zip file is included with the email, and within it is a second zip file that includes JavaScript or a Word document with a malicious macro. The JavaScript or macro then installs the malicious payload – Cerber ransomware – if it is activated.
Without any social engineering tactics, infection rates are likely to be less successful. However, researchers suggest that email messages are likely to get past security measures using this technique. Since more emails are sent to end users’ inboxes, this is likely to make up for the fact that fewer attachments will be clicked on. The blank slate spam campaign is thought to be spread via botnets.
Cerber ransomware has been a major threat over the past year. The ransomware is often updated to ensure it avoids being seen. The latest blank slate spam campaign is being implemented to spread the latest form of the ransomware, which masks malicious code inside Nullsoft Scriptable Install System (NSIS) installers.
Security experts at Palo Alto Network’s Unit 42 team say that Cerber ransomware is being stored on around 500 separate domains. When domains are discovered by hosting companies they are rapidly shut down; however, new domains are then registered by the criminals to take over.
As new domains can easily be registered using stolen details, the costs to cybercriminals are small. The cost of signing up for a new domain are low. Burner phones can be bought cheaply and the numbers provided when registering domains, email addresses can be registered at no cost, and stolen credit card details can be used to complete payment. There is no shortage of stolen credit card numbers to use. However, the profits to be made from Cerber ransomware infections are high. Now, the keys to decrypt data obtained by Cerber ransomware costs victims 1 Bitcoin – around $1,000.
Groups can secure themselves from the threat by ensuring their spam filtering solutions are properly configured and making sure all staff members are instructed never to open JavaScript files or enable Word macros sent from unknown individuals.