Rise of Cerber Ransomware


The malicious activities of Cerber Ransomware started in February 2016, and have continuously evolved since then. Now it has become one of the most encountered ransomware families pushing others including Locky behind. According to the latest statistics, Cerber has the highest share rate of 25.97%. The evolution of this malware mostly happened through distribution process with a focus on exploit kits, compromised websites, and email distribution. It is especially prevalent in the US, Asia, and Western Europe.

Cerber Attack

Cerber generally enters the system/ PC through spam email downloaders or malicious web sites. Both macros and OLE objects are used to deliver Cerber. Malware authors can malevolently use OLE or macros to deliver malware to the victims. It has been seen that malicious files take the help of Visual Basic Script (VBS) and JavaScript to download Cerber from a command server.
The other infection scenario is when any user visits a malicious website that hosts an exploit kit. It finds out the vulnerabilities of the PC and targets those vulnerabilities to inject the infection. Eventually, this allows the exploit kit to download Cerber in the PC. Neutrino, Angler and Magnitude exploit kits are known for distributing Cerber.
Like other ransomware, Cerber also encrypts files and gives recovery instructions to the victim. Cerber instructs both in .html and .txt formats and replaces the desktop wallpaper too. In addition, Cerber includes a synthesized audio message. What is more important is that the ransom message gives indications to the victims about Cerber trying to show Internet as a safer place and they do not mention about the ransom to decrypt the files. After investigation, it has been seen that the ransom appears in the form of bitcoins.


eScan, now debuts a Proactive Behavioral Analysis Engine (PBAE) that monitors the activity of all the processes on the Local Machine and whenever PBAE encounters an activity or behavior, which is reminiscent of a Ransomware, a red flag is raised and the process is rendered inactive from conducting any further damage. However, Ransomware is also known to encrypt files residing on the network share, in such cases, when an infected non-protected system is accessing the Network Share of a protected system and tries to modify the files residing over there, PBAE, will immediately invalidate the network session. Besides, the below precautionary measures are also important:
• Update your antivirus software regularly and protect your system from Malware attacks.
• Always download apps from their official website or Google Play Store instead of unknown sources because of unreliability.
• Download applications of a reliable app developer. In addition, check the user ratings and reviews of the app before download.
• Ensure that all the software installed in your system are updated frequently, including Oracle, Java and Adobe.
• Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce it.
• Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
• Open emails only if you are positive about the source.
• Regularly create backup of your important files.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment

Defeat Ransomware with PBAE Technology

Ransomware is the most favored attack by cyber-criminals as it is one of the easiest ways for them to extract money from victims. Many organizations  have lost the battle against it.

Ransomware  – encrypts files in your system, and will allow you to decrypt them if and only if a Ransom amount is paid.  It can also prevent you from using your web browser, other applications, or entire operating system. If preventative measures are not taken in first place, you end up paying the price.

In recent times we have witnessed new variants of Ransomware. The destructive Locky Ransomware which infected Windows machines by through user’s e-mail as an obfuscated JavaScript, and the email usually pretending to be an official document. There have been other strains of Ransomware infecting Macs and even mobile devices.

To protect it users, eScan has developed the latest technology PBAE (Proactive Behavioral Analytics Engine) to provide real time protection for organizations and users against Ransomware attacks. The research team has developed an algorithm to analyze the behavioral patterns of Ransomware programs and protect the IT assets of organizations as well as SOHO users.

Download the whitepaper of PBAE Technology here.


Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , | Leave a comment

Beware of Fake ‘DigiLocker’


The much awaited DigiLocker mobile app was launched by Minister of Road Transport and Highways Mr Nitin Gadkari and Minister for Information and Technology Mr Ravi Shankar Prasad at the Transport Ministry in New Delhi.

DigiLocker is a ‘digital locker’ service launched by the Government of India in February 2015 to provide a secure dedicated personal electric space for spacing the documents of resident Indian citizens. It is one of the key initiatives under Digital India Programme, which the Indian government initiated to digitally empower society and knowledge economy, targets the idea of paperless governance.

According to the ministry, DigiLocker will eliminate the use of physical documents, help accessing them anytime, anywhere and able to share online, and avoid forgery. The integration of driving license and registration certificates with the DigiLocker will enable their access through mobile devices, which means citizens need not carry physical copy of Driving License; they just need to install the app. The digital copies of driving license and registration certificate can also be shared with other departments for verification purpose.

Although it is a great initiative by the Government of India to provide a secure centralized document storage and sharing facility. According to eScan research, the fraudsters have been quick to capitalize on this and have ended up creating numerous Digilocker apps and in order to make it look authentic to their future victims, they have used not just the Indian Prime Ministers photo but also used India’s National Emblem.

Allowing the trend analysis based on previous/ past experiences, it is to be noted that these fake apps might steal your credentials or act as Adware or in worst cases the apps might become the harbinger of Ransomware.

Google’s Play store, makes use of Google Bouncer, which searches the Android market for apps that could be malicious. However, it allows anyone to publish an app in the PlayStore. The fake apps’ download range is 10,000 to 50,000 whereas original DigiLocker app download range is between 1 lakh to 5 lakhs, which somehow indicates you about the authenticity. Thus, it’s a message to the users to refrain from such fake apps and download the DigiLocker app, developed by ‘MeitY, Government of India’ and make ‘Digital India’ Campaign a real success.


Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , | Leave a comment

How to Prevent WhatsApp from sharing your phone number with Facebook

whatsapp share image

The global privacy policy of WhatsApp has been updated. It will share the phone numbers of the users with Facebook, its parent company. Here are certain things that are important to be aware of.

As per the latest official announcement of WhatsApp, the users’ phone numbers are shared with Facebook to improve the Facebook ads and product experiences. As a result, the users will start receiving more number of relevant ads and friend suggestions on Facebook. The policy also helps the users to track basic metrics of the frequency of services and the ways to fight spam on WhatsApp in a better way. There are chances that some related data like the users’ mobile Operating Systems, country codes, carrier codes, screen resolution, and device identifier will be shared too. WhatsApp has also announced that the number can be shared with the companies that come under Facebook family (eg. Instagram, VR firm Oculus Rift etc.).

The obvious question, which comes in our mind, is that, can we prevent WhatsApp from sharing our phone number in similar fashion? WhatsApp has given provision for that too. Here are a couple of ways to go for it:

Option 1
•When you are using the latest WhatsApp app, then you can come across the below notification anytime. By Agreeing to this, you will share your personal whats app details with Facebook for advertisement purpose or you can also disagree and stop sharing your personal whatsapp details with Facebook. Tap on “Read more about the key updates to our Terms and Privacy Policy” as shown below:


• Thereafter, just uncheck the green box as shown below. This means you do not agree with the sharing of numbers with Facebook.


• Once the below screen appears, tap on ‘Agree‘.


Option 2
Once you are done with the above-mentioned processes, you still have 30-days to reverse your decision. In that case, you can open WhatsApp > go to Settings > Account > Uncheck the box given against “Share my account info” as shown below:

Whatsapp OptionB

Please Note: There are possibilities that you might not see this option under Settings > Account. You need not worry. It happens only when the latest Whatsapp version is not updated or else you are yet to receive the new terms & conditions notification.

It is also important to understand that the above procedure is a partial solution. It stops WhatsApp from sharing your data for Facebook ads and product-related purposes. In spite of that, the data will be shared to improve infrastructure and delivery systems, or understand service methodology, secure systems and other violation activities. However, this will not affect your communication on WhatsApp. Even if the users have agreed to the new policy, still they have 30-days’ time to change their decision.

Until now, WhatsApp has given neither any concrete information about the list of the user types, which they plan to share with Facebook, nor anything about how Facebook will use the data. If you do not have any Facebook account, then also your number will be shared with Facebook. As per the latest updates from Facebook spokesperson, this will not be used to create an account on your behalf.

Based on the latest updates from Whatsapp/ Facebook, we will keep on updating this blog post.

Posted in eScan 11, eScan 14, Security | Tagged , , , , , , , , , , | Leave a comment