A nasty ransomware is at the heart of a widespread attack on Microsoft 365 users.
The virus, called Cerber, is spread through email and, like other ransomware, encrypts users’ files and demands payment in order to unlock them. It plays an audio file informing the user that the computer’s files have been encrypted, while a warning message was displayed on screen. The ransom is set at 1.24 bitcoins or about $500.
“Cerber spreads via phishing emails,” explained Steven Toole, a researcher at Avanan, in a blog. “Once infected, a victim’s files become encrypted using the AES-265 and RSA encryption method, which is currently unbreakable.”
Avanan estimates that roughly 57% of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.
A variation of the virus was originally detected on network mail servers back in early March. It has since respawned into a second life, and was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.
“We are continuing to see a significant increase in the complexity of malware targeting business networks, and this attack is an excellent example. By utilizing several exploit kits, it was able to bypass traditional sandboxes. It also speaks to the effort hackers are putting into creating new zero-day attacks and the challenges businesses face in securing their networks against cybercriminals.”
Microsoft detected the attack and started blocking the attachment as of June 23.
“Many users of cloud email programs believe they ‘outsourced’ everything to Microsoft or Google, including security,” explained Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers’ security measures, and so most new malware goes through cloud email programs undetected.”
Photo © Lightbox