![cerber ransomware on mac cerber ransomware on mac](https://www.enigmasoftware.com/images/2016/cerber-ransomware-loud-alert-voice-files-encrypted.jpg)
In addition to encrypted strings, this malware variant has also implemented some checks to determine if it is being analyzed, or if it has been loaded into a sandbox or a virtual machine. String decrypt function Anti-analysis, Anti-sandbox, Anti-VM Every encrypted string also has its own hard-coded decryption key.įigure 5. As it turns out, the strings are encrypted using the Chacha20 cipher.
Cerber ransomware on mac update#
While examining the current malware variant we observed that one interesting update is that most of the strings are already encrypted in an effort to conceal its malicious content.
Cerber ransomware on mac code#
Sage ransomware desktop wallpaper Code Obfuscation The discovered variant also sets the desktop wallpaper with the same message used by earlier variants of Sage.įigure 4. It also still avoids infecting machines in some countries based on the following keyboard layout: Names of encrypted files are still appended with a.
![cerber ransomware on mac cerber ransomware on mac](https://sensorstechforum.com/wp-content/uploads/2017/06/cerber-locky-ransomware-new-updates-june-2017-new-variant-remove-and-restore-files-loptr-read_this_-sensorstechforum-update-june-2017.jpg)
It uses the same encryption algorithm as Sage 2.0, which is ChaCha20, to encrypt files. While we will not go into the details of the things that didn’t change in this variant from earlier versions of the Sage ransomware, we will highlight some important details that we think users should be aware of.Īs with earlier variants, this version comes packed with a variety of crypters.
Cerber ransomware on mac download#
Examples of download URLs Things that didn’t change KTIS view of servers that host some samples of both Locky and the new Sage 2.2 variantįigure 3. What’s really interesting is that we confirmed that there are also Locky ransomware files that share the same download servers with Sage.įigure 2. top top-level domain (TLD) name for the domain, and a number for the path. Some of the samples are also delivered through document files with malicious VB Macro downloader code that we believe are also attached to spam emails.īased on the data from the Kadena Threat Intelligence System, it looks like URLs where this new variant of Sage are downloaded use the. KTIS view of attack vector of the new Sage 2.2 variant Using our Kadena Threat Intelligence System, we have identified that this malware is being delivered through spam emails with malicious JavaScript attachments that download this new Sage 2.2 variant.įigure 1. In this article, we will share our findings of these recent updates. However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation. Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn’t seen significant activity with this malware for over six months. The Sage ransomware variant appears to have been out of circulation for a while in the malware scene.