Dutch ransomware campaign could reactivate "any time"

The researchers with information security specialist FireEye, who worked with Dutch authorities to shutdown the campaign in June, said that attackers could easily resume the campaign by winding up new command and control servers.

And this time the servers may be activated in jurisdictions with weaker cyber regulations, said FireEye senior researcher Ankit Anubhav.

“They were using specific command and control servers and were able to work with CERT to close them. But that doesn’t mean that they can’t host a new server somewhere else and most the time these actors are in regions where the cyber laws are not very strict,” Mr Anubhav said.

The attacker behind the Cerber-based ransomware campaign that Dutch authorities closed down in June used web channels to boast ensnaring 5,000 victims. However, FireEye researchers said that figure was likely to be inflated.

The attacker was attempting to extort $US1,400 from each victim in return for the means to regain access to their data.

In this case the hacker circulated a word document containing a malicious macro capable of exploiting Microsoft’s PowerShell feature. The macro was able to call on the feature to bypass Microsoft’s front line malware defence user access controls.

FireEye researchers said that other forms of intrusion detection software struggle with such ransomware that exploits PowerShell feature as it's a valid function.

FireEye would say little about how its security system, FireEye Endpoint Security (HX), was able to detect the campaign other than to say its heuristics were based on activity rather than simply code analysis.

Dutch authorities closed the command and control server within four hours of being notified by FireEye. However, Mr Anubhav concedes that it might be harder to achieve that speed if the Cerber campaigners move their servers into less regulated environments.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoftendpoint securityIT SecuritypowershellFireEyeattackersCERTs

More about FireEyeMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Andrew Colley

Latest Videos

More videos

Blog Posts