New ransomware variant integrates DDoS attack capabilities
▻https://www.invincea.com/2016/05/two-attacks-for-the-price-of-one-weaponized-document-delivers-ransomware-a
We recently found a ransomware variant that not only holds the victim’s machine and data hostage [by file encryption and screen locking] until a ransom is paid, but also exploits the compromised machine as part of a potential DDOS attack. This means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim.
The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.
The ransomware is based on a modified version of the Cerber strain, which executes malicious MS Office VBScript.