Cerber and Locky, the two most popular ransomwares out there, have launched new variants to the wild simultaneously. The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected.

CERBER 5.0 Uses New IP Ranges as well as Old Ones

The actors behind Cerber, like other actors in the ransomware industry, innovate on a daily basis. Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.

A notable change introduced in this Cerber version is the new IP ranges used for command and control communication. Cerber uses one IP range which was also used in its last version (4.1.6), while the rest of the IP ranges are new.

The new IP ranges are as follows:

  • 15.93.12.0/27
  • 63.55.11.0/27

The old IP range still in use:

  • 194.165.16.0/22

As in previous versions, Cerber broadcasts messages to all IP addresses in the above mentioned ranges via UDP. The message that starts the communication is as the regex: “hi(0-9){4}b(0-9){3}”.

fig1

Figure 1: multicast UDP communication with C2 using new IP ranges.

Cerber is currently distributed via spam e-mail campaigns and exploit kits, specifically Rig-V Exploit Kit. Encrypted file extensions are randomly generated in the same matter as in Cerber’s latest versions, using 4 random alphabetic letters. This version of Cerber still focuses on databases and files related to it, encrypting many different types of database file types. In addition, Cerber informs users which version of the ransomware they’ve been encrypted by, via its desktop ransom note:

fig2

Figure 2: Cerber 5.0.0 ransom message.

On top of that, decryption instructions appear in an interactive .hta file, with information in different languages.

Cerber’s new version presents new IP ranges together with an old IP range. However, most other features remain the same.

LOCKY

The ever changing Locky ransomware has just released a new variant which implements new evasion techniques and adjusted ransom tariff. Locky is known for being downloaded as a dll file using JavaScript based downloader. Although the new variant acts just the same, the JavaScript downloader pulls disguised .TDB file which turns to be a PE file. Locky’s threat actor probably wishes to evade security products that sign the already known infection chain.

fig3

Figure 3: DLL disguised to TDB file.

As in all recent releases, Locky changed the encrypted file’s extension; this time to .zzzzz.

Another worth mentioning behavior is the varying extorted ransom payment. We have noticed that the default requested payment is 3 Bitcoins; however, when letting the malware communicate with its command and control, the payment amount may change in correlation to the victim’s characteristics, especially number of encrypted files. The lowest amount that has been demanded in our labs was 0.5 Bitcoin.

fig4

Figure 4: 3.00 BTC default payment amount

fig5

Figure 4: 0.5 BTC adjusted payment amount

SUMMARY

Cerber and Locky creators constantly adapt to security vendors’ counter-measures. While Cerber 5.0 and Locky’s .zzzzz are the ransomwares’ current versions, it is highly unlikely to be their last.

Security vendors must remain, as always, one step ahead.


  1. Good post!

    I did check my firewall logs for the networks posted in this blog, and I found that the 194.165.18.0/24, 194.165.19.0/24 and the “old” 194.165.16.0/24 networks are trying to enumerate telnet. Also I see attempts to connect to TCP/2323 much like the scanner portion of the Mirai botnet.

    Could it be that these actors are starting to implement an adoption of Mirai in order to increase their effectiveness or reach to IoT devices?

    Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.