Using a process known as binary padding along with the Magnitude Exploit Kit—which is well known in cybercriminal circles—ransomware distributors are artificially inflating the size of Cerber files before they are executed. The payload’s inflated size allows the ransomware to skirt its way around security software that can’t scan larger files for digital threats, according to researchers at security software firm Malwarebytes.
Organizations can guard against exploit kits like Magnitude by making sure to install the latest security patches and updates to operating systems and applications.
How it works
The newest Cerber distribution campaign begins with Magnitude EK, a notorious exploit kit which abuses known software flaws in order to download malware onto vulnerable machines. Magnitude EK has a reputation for exploiting Microsoft Internet Explorer vulnerabilities, though sometimes accesses systems through Adobe Flash Player weaknesses.
Discovered in early 2016, Cerber is a file-encrypting software that capitalizes on infection by checking the country code of a machine. If the victim’s computer isn’t located in Russia, Central Asia, or Eastern Europe, Cerber saves a copy of itself under a randomly generated executable name. It then escalates its privileges before encrypting the machine’s files and spreading itself across networks.
Cerber has been widely available via ransomware-as-a-service (RaaS). That means just about anyone—even cybercriminals who aren’t very technically savvy—can launch an attack for a fee. This accessibility no doubt helped Cerber surpass Locky as most widely used ransomware distribution in 2016.
Protect yourself from evolving ransomware threats
Malwarebytes researcher Jerome Segura says businesses need to be concerned about exploit kits like Magnitude.
“While Magnitude EK has a very narrow distribution channel, it remains an interesting exploit kit because not only does it have its own gate, but it also continues to evolve with various tricks,” Segura explains in a blog post.
“The binary padding technique shows an effort to bypass certain security scanners that will ignore files above a certain size. However, this does not prevent the malicious binary (no matter how big) to run its course and fully infect a machine.”
Businesses may be able to prevent a Magnitude attack by implementing a comprehensive patch management strategy and by conducting ongoing security awareness training with employees. But it’s also important to back up all data and store it in a secure location in case the ransomware attack is successful.