Dutch ransomware campaign could reactivate "any time"
- 20 July, 2016 09:53
The researchers with information security specialist FireEye, who worked with Dutch authorities to shutdown the campaign in June, said that attackers could easily resume the campaign by winding up new command and control servers.
And this time the servers may be activated in jurisdictions with weaker cyber regulations, said FireEye senior researcher Ankit Anubhav.
“They were using specific command and control servers and were able to work with CERT to close them. But that doesn’t mean that they can’t host a new server somewhere else and most the time these actors are in regions where the cyber laws are not very strict,” Mr Anubhav said.
The attacker behind the Cerber-based ransomware campaign that Dutch authorities closed down in June used web channels to boast ensnaring 5,000 victims. However, FireEye researchers said that figure was likely to be inflated.
The attacker was attempting to extort $US1,400 from each victim in return for the means to regain access to their data.
In this case the hacker circulated a word document containing a malicious macro capable of exploiting Microsoft’s PowerShell feature. The macro was able to call on the feature to bypass Microsoft’s front line malware defence user access controls.
FireEye researchers said that other forms of intrusion detection software struggle with such ransomware that exploits PowerShell feature as it's a valid function.
FireEye would say little about how its security system, FireEye Endpoint Security (HX), was able to detect the campaign other than to say its heuristics were based on activity rather than simply code analysis.
Dutch authorities closed the command and control server within four hours of being notified by FireEye. However, Mr Anubhav concedes that it might be harder to achieve that speed if the Cerber campaigners move their servers into less regulated environments.