Dangerous form of ransomware has just evolved to be harder to spot

  1. Posts : 34,117
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition

    Dangerous form of ransomware has just evolved to be harder to spot

    One of the most dangerous forms of ransomware has just evolved to be harder to spot

    Malicious loaders delivered by self-extracting Dropbox files enable payloads to bypass detection.
    Identified by Trend Micro, the new Cerber variant is, like most ransomware, delivered by a malicious phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.

    However, in order to evade detection and monitoring by cybersecurity researchers, this version of Cerber will check to see if it's running on a virtual machine, sandbox, or if certain products are running on the machine -- and if it spots any of these, it'll stop running. Why? Because it's in the best interests of the criminals behind it that their code doesn't get analysed.

    It's because of this that the actors behind Cerber have gone to the trouble of repackaging the delivery method and loader in order to get around cybersecurity products which can detect malicious files based on features instead of signatures.

    But by deploying a self-extracting mechanism, it's possible for the file to not look malicious, even to machine learning tools.
    One of the most dangerous forms of ransomware has just evolved to be harder to spot | ZDNet
      My Computer

  2. Posts : 5,201
    Windows 11 Home

    When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware
    Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection Threat Research Blog

    And all it takes to prevent it and majority of malware is this (most users do not need WSH).
    Getting rid of powershell helps enormously too, but some users might find it bothersome.

    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f

    The reason, AV companies do not post details, so people would not know, how easy it is to avoid, without AV.
      My Computer

  3. Posts : 11,210
    Windows / Linux : Arch Linux

    Hi there

    If a computer has this sort of problem -- DO NOT EVEN THINK about "repairing it in situ" - CLEAN RESTORE is the only 100% OK solution. Also registry hacks are a waste of time --if some of this evil Ransomware is as sophisticated as it seems to be it will easily get round those "protections".

    1) Always have a CLEAN backup of your OS - No excuse not to - Free Macrium works very well indeed and can be booted off a USB.

    2) Backup OS regularly - preferably nightly and keep say 3 copies OFFLINE of course

    3) Keep OS+applications SEPARATE from your DATA (e,g photos, music, videos, office documents etc)

    4) backup important data every so often

    5) If Ransomware rears its ugly head -- SWITCH OFF COMPUTER IMMEDIATELY -- Do not use shutdown etc --simply Hard power off.

    6) (optional) re-format OS partition (including system reserved one) HDD with a bootable program such as windows recovery Disc --

    7) Boot stand alone Macrium and restore clean copy of OS.

    8) verify your data files

    Then have a nice stiff drink and make the appropriate - I believe is it the "2 fingered salute" to those scumbags who think they are clever dishing out Ransomware. Your computer is now as good as new again !!!!

    Note -- to those who know Linux an excellent GUI for copying / comparing / verifying files etc is GRSYNC.
    I use this one almost exclusively for backing up DATA but that's another issue.

    Further note to anybody reading this thread -- I've posted (as others) almost AD NAUSEAM the importance of BACKUPS -- it hardly takes long these days to back up the OS and external HDD's are mega cheap too.


    - and if people did take backups then 99% of the problems encountered in this section of the Forum would be avoided.

      My Computer


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:47.
Find Us

Windows 10 Forums