Zero-day ransomware targets Microsoft Office 365 Users

Don’t rely on the security of Microsoft Office 365!


A variant of Cerber Ransomware are now targeting Office 365 email users with a massive zero-day attack that has the ability to bypass its built-in security tools.


Avanan, a cloud security provider, has published a research about this attack:

The attack included a very nasty ransomware virus called Cerber, which was spread through email and encrypted users’ files. Once encrypted, Cerber demanded a ransom be paid in order to regain access to the user’s documents, photos and files. So nasty in fact, that this virus actually played an audio file, informing the user that the computer’s files have been encrypted while a warning message was displayed on screen. […]
This attack seems to be a variation of a virus originally detected on network mail servers back in early March of this year. 
As it respawned into a second life, this time Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.


Some info about Cerber Ransomware

From BleepingComputer.com:

When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.

Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan

If the victim is not from one of the above countries, Cerber will install itself in the %AppData%{2ED2A2FE-872C-D4A0–17AC-E301404F1CBA} folder and name itself after a random Windows executable.

Cerber will then configure itself itself to start automatically when you login to windows, execute as your screensaver when your computer is idle, and set a task to execute itself once every minute.

When encrypting your data, Cerber will scan the victim’s drive letters for any files that match certain file extensions. When it finds a matching data file, it will encrypt the file using AES-256 encryption, encrypt the file’s name, and then add the .CERBER extension to it.

To upset a victim even more, Cerber talks to you!

Once of the ransom notes that Cerber creates is a bit more “special” then the others. The # DECRYPT MY FILES #.vbs file contains VBScript, which will cause the victim’s computer to speak to them.


When the above script is executed, your computer will speak a message stating that your computer’s files were encrypted and will repeat itself 5 times.


Read the whole report on Avanan Website:

http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus

Comments