A command-and-control server that has been used to distribute a ransomware campaign has been shut down by a combination of security researchers from FireEye, the Computer Emergency Response Team in the Netherlands and several web hosting companies.
In a blog post written by two FireEye researchers, the company details how the Cerber ransomware variant works its way into Windows-based machines using fairly common methods. A malicious payload has been attached to a Word document, which has then been attached to a faulty email. Once the Word document is opened, a macro then writes a small piece of VBScript into memory, starting the process to encrypt a user’s files.
Researchers also found that like many other ransomware variants, there is an element of customer service built into the malware. The decryptor supports 12 languages to facilitate payment. Additionally, the criminals offer victims a discount if the ransom is paid within a certain time frame.
The blog post’s authors also found the attackers monitored a number of countries in Eastern Europe and Central Asia — including Russia, Ukraine and Moldova among others — to keep the ransomware outside of certain legal jurisdictions.
[Read more: Feds confident in fight against ransomware]
“Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities,” the blog post reads. “The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.”
The server shutdown comes as Cerber has been spotted causing problems for cloud-based services. Last week, Trend Micro found a variant of Cerber was targeting individual and business Office 365 accounts.
Ransomware, particularly through macro-based attacks, has picked up in recent months. In the first quarter of 2016, there were 450,000 cases of macro malware, according to a McAfee Labs report — up about 300,000 cases from the same time in 2014.
[Want more stories like this? Sign up for the CyberScoop newsletter, and allow us to make sense of it all.]
The FireEye team strongly suggested turning off macros to prevent any further problems.
“Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection,” the blog post reads. “If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.”
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.