
A US Government website was hosting a malware downloader until sometime Wednesday. It was called out by Ankit Anubhav, a researcher at NewSky Security who first noticed the downloader in the JavaScript of the website. This JavaScript would download the Cerber ransomware program onto the user’s device. How, exactly, this code got into a government website is currently unknown. It’s troubling because it implies that the website was hacked, or some sort of automated process stripped the code out from someone legitimately logged into the website at the time. If the website is used to send, receive or manage emails it’s possible an employee was sent the ransomware in a phishing attempt. That would mean the website is automatically loading attachments from emails, however, and apparently not checking them for malware. Either way, this code highlights a vulnerability in the website, somewhere.
This is the second time Cerber has come up in the news, previously it was part of an email attack that used zipped files to get around security measures. Double zipped archives of files and folders would be sent, and opened by email servers. These archives contains a gif or MS Word documents that were actually cleverly disguised Cerber executables. Keep that in mind the next time someone sends you a funny cat gif, it could really be the executable to a piece of malware. Never open emails from unknown senders, ever.
Cerber is a piece of ransomware, it works by encrypting or somehow denying you access to your own files. It works by modifying your Windows Registry file, which can be dangerous to fix. Messing up your registry file is a good way to brick your device, and it shouldn’t be done if you don’t know what you’re doing or can’t follow instructions well. Once your files are encrypted you’ll be notified of this by a message in English, telling you to install the Tor Browser and to go to the given website. From there you can get instructions on how to get your files back in a variety of languages. You’ll be offered the chance to buy the decryptor, but if you hesitate for too long the price will double. Cerber works by infiltrating your computer and attaching itself to background processes that are capable of increasing their own importance. This means that as Cerber sits their it slowly elevates itself in the hierarchy of your computer until it’s beyond reproach. Its needs to take priority over everything else on your computer and virus protection software can no longer touch it.