The latest versions of Cerber and Locky ransomware have been, since mid-January, finding great success in bypassing existing security detection systems through the use of a common infrastructure that allows the malicious code to bury itself inside NSIS installers, and use several layers of obfuscation and encryption to hide before executing in memory. It’s unknown whether the infrastructure supporting these attacks is being sold on private forums, or whether the malware authors are sharing code. What’s known is the latest versions of these crypto-ransomware families are exhibiting the exact same behavior. NSIS, which is short for Nullsoft Scriptable Install System, is an open source system that’s used to build Windows installers. This is key for the attackers behind these campaigns to hide the ransomware executable from detection systems. Attackers are implementing Process Hollowing each time in a different way to make things more complicated and much harder to trace.