New Cerber ransomware strain morphs every 15 seconds to avoid detection
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho FallsReuters

Security researchers have discovered a new twist in the plot in the ongoing evolutionary journey of the Cerber ransomware. The authors of the malware are now using a new technique that enables Cerber ransomware to morph itself every 15 seconds to avoid detection.

Ransomware is a type of malware that infects victims' systems and then proceeds to hold all data within as hostage until victims pay up a specific amount of money as ransom. In most cases, victims are asked to pay up in Bitcoin and ransom amounts can range from anywhere up to a few hundred to even thousands dollars.

Security researcher Pat Belcher of Invincea, which has been tracking the Cerber ransomware's activities since it was first identified earlier in the year, said in a blog post: "Invincea researchers see dozens of Cerber infection attempts every day. However, when we tried to duplicate the download for this variant, we noticed that the hash we received from the payload delivery server had a different hash than the one in the event above. When we downloaded it a third time, there was yet another hash. Fifteen seconds later, there was another, and then another. In all we downloaded over 40 uniquely hashed Cerber payloads — all with different hashes."

This process by which the malware was found to constantly transform itself was indicative of the coders of the malware making use of the "malware factory" — a mechanised and programmed assembly line that stitches together Cerber payloads while making minor modifications to the malware's internal structure in efforts to ensure that it keeps generating files with unique hashes. This technique is generally utilised by malicious coders to ensure that the malware goes undetected against security software. "By constantly morphing the same old binary from 2015 is able to evade detection quite easily," added Belcher.

Invincea also claimed that this was not the first time that the Cerber ransomware has evolved. In May, the company identified that the ransomware was being paired with bots to serve up DDoS (Distributed Denial of Service) attacks to its victims.