Ransomware Update

23/03/2017 22:25

The SonicWALL Capture ATP Round-up

Each month Just Firewalls takes a look into what has been happening across the SonicWALL network.

SoincWALL has noticed a slow down in the use of Locky ransomware from the end of last year. But as one slows down, another one picks up.


Cerber has been busy this year. So far, SonicWALL is seeing it frequently caught in the sanbox. The rise is Cerber compared to Locky is quite worrying. Last year, Locky was deployed over 500million times so anything that threatens to beat this number is a real issue.

The Cerber ransomeware is a continuosly evoliving threat. Capture ATP has found the threat avoids matching it's own signature by self-mutating. This technique is to avoid matching with the same signature, but unfortunately for Cerber, the three-engine sandbox is too intelligent and has been recentely catching up to two versions of the threat per day.

Brook Chelmo, SonicWALL senior product marketing manager has admitted the threat has previously evadid other sandboxes but for SonicWALL it's no match.


Cerber is a powerful beast and prepared in a very professional manner giving it even more credabilty as one of the most dangerous threat around at this time. The malware is most commonly distributed via exploit kits and has been found being sold to distributors in underground forums.

Once deployed, the ransomware dissappears and runs a renamed, dropped copy to infected its target. Some observed file names are crstub.eve, dinotify.exe, relpost.exe.

These files will be found in the hidden folder %APPDATA%.

 Compared to other more mature ransomeware threats out there, Cerber is one of the more recent threat. Experts have highlighted that while the threat is already pretty powerful, more mutatitions and 'tricks' are expected in the future.




Posted in News By Just Firewalls