Adam Wosotowsky contributed to the blog.
Threats are evolving, especially ransomware. Cerber ransomware, one of the most powerful strains out there, is no exception. The threat used to be a pretty run-of-the-mill ransomware, infecting devices through various social engineering techniques and encrypting files on an infected computer and demanding a ransom to restore them, but now, a new variant of Cerber has emerged that is even more advanced. In addition to its existing capabilities, the malware now has the ability to steal Bitcoin wallet data and stored browser password information.
Cerber ransomware has developed rapidly over the past few years. Building off of its initial capabilities, the threat soon developed the ability to evade detection by cybersecurity tools, then was sold ‘as-a-service’ to low-level hackers who want to make a quick buck from ransomware – with the authors taking a share of every single ransom payment. Plus, to make matters worse, the ransomware uses very strong encryption. Now, Cerber has found yet another way to make profit by stealing cryptocurrency directly from a Bitcoin wallet, as well as swooping additional password information.
While this is an escalation of the attacker’s capability, there are some holes in the implementation that may prevent them from fully accessing the wallet. However, it’s important to note, Cerber deletes a Bitcoin wallet before the ransomware even encrypts files, so paying the ransom won’t get the wallet back.
The next question is: what can users do to stay protected? First, remember there has never been a security incident with the Bitcoin block chain itself; all the “bitcoin hacks” so far have taken advantage of security holes in the websites that handle bitcoin management and not the blockchain itself.
For bitcoin users, it’s crucial to never put all your coins in one place. Someone who wants to protect their assets should have separate active and savings bitcoin wallets where the active wallet can be managed by an online bitcoin service that can handle spending the coins, and the savings wallet is kept separate from online services. If you have such a savings wallet, you should keep hardcopies somewhere. This way, if a Cerber infection downloads and deletes your wallet you only need to take your backup savings wallet and send all the money to a new wallet that the Cerber attackers don’t have.
And since Cerber itself uses email attachments as an attack vector, the attack could also be prevented by having a corporate mail policy which blocks any executable attachments, even if they are in zip files. If the attack payload is a Word document or pdf attachment with a macro downloader then you will need to rely on AV and good judgement.
Beyond that, always practice good security hygiene. This means avoid opening documents and attachments from unfamiliar sources and changing all passwords to be unique and complex.
To learn more about this ransomware attack and others like, follow us at @McAfee and @McAfee_Business.