Researchers at Forcepoint have discovered an email campaign distributing double zipped files with Windows Script Files (WSFs) inside which, when executed, download the Cerber crypto-ransomware.
Cerber is a highly customisable crypto-ransomware that encrypts local files and requests a payment to get files decrypted, which is believed to be being sold under a ransomware-as-a-service model on Russian underground forums. This means there is no one malware author, but rather several actors distributing their own Cerber builds in different ways – some via exploit kits and others via email.
It has previously been seen distributed via exploit kits and over email using DOC files with macros, but this is the first time it has been seen distributing via WSFs.
Actors distributing malware over e-mail are constantly changing their techniques in order to bypass security solutions – it is important for us all to remain vigilant when opening e-mails, especially attachments and links that are contained within them.
For more information on this discovery visit the Forcepoint blog.