Cerber

Cerber targets Windows OS and is distributed via malvertising delivered by the Nuclear Exploit Kit. Some reports suggest that it is also being sold in the Russian underground market as “Ransomware-as-a-Service” (RaaS). When this infection first occurs, Cerber determines the location of the victim. If the victim resides outside the list of “protected” countries, Cerber installs itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and names itself after a random Windows executable. Afterwards, it configures Windows to automatically boot in Safe Mode with Networking at the next restart. Cerber scans all files on the victim’s drives and looks for specific file extensions. It encrypts the matching files and file names using AES-256 and then changes the file extension to .cerber. Finally, Cerber creates ransom notes named #DECRYPTMYFILES#.html, #DECRYPTMYFILES#.txt, and #DECRYPTMYFILES#.vbs, the last of which contains a VBScript causing the infected computer to speak to the victim. Researchers have recently discovered that Cerber is leveraging the same spam distributor responsible for spreading the Dridex financial Trojan.

UPDATE 7/15/2016: In addition to recently incorporating DDoS attacks and using malicious Windows Script Files in its attacks, Cerber is now targeting Office 365 users through emailed documents containing malicious macros. Since Microsoft disables macros by default, the attackers behind Cerber rely on social engineering tactics to trick users into manually enabling the malicious macros and launching the malware.

UPDATE 8/4/2016: A new version of Cerber appends .cerber2 to encrypted files, displays a new ransom note, and removes a flaw that allowed Trend Micro’s decryption tool to decrypt files, rendering it useless for this version.

UPDATE 8/31/2016: A new version of Cerber appends .cerber3 to encrypted files.

UPDATE 10/4/2016: A new version of Cerber appends a random four character extension to encrypted files.

UPDATE 11/1/2016: Cerber 4.1.0 and 4.1.1 were spotted in the wild. These new versions display the version number in the ransom note. These both append the fourth value of the infected system’s MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key to the name of the encrypted files.

UPDATE 11/7/2016: Cerber 4.1.4 is currently active and being distributed via Word documents embedded with malicious macros. These malicious documents are delivered within ZIP files attached to phishing emails using subject lines such as RE: Invoice 257224.

UPDATE 11/24/2016: Cerber 5.0 and 5.0.1 have been discovered and are distributed via the RIG-v exploit kit. One main change researchers noted is that these versions of Cerber will not encrypt any file that is below 2,560 bytes in size.

UPDATE 12/9/2016: A new version of Cerber has been spotted with red text highlighting on the ransom note and a modified filename for encrypted files.

UPDATE 12/22/2016: A new version does not delete Shadow Volume Copies and prioritizes folders containing Microsoft Office documents and Bitcoin data during its encryption process.

UPDATE 1/13/2017: A new Cerber campaign is infecting victims by leveraging the RIG EK to exploit vulnerabilities in outdated versions of Flash Player, Silverlight, Internet Explorer, and Edge.

UPDATE 2/8/2017: A new Cerber campaign is offered in a RaaS model and distributed via the Nemucod Trojan.

UPDATE 2/14/2017: A new version of Cerber searches infected systems for firewalls, antispyware, and antivirus software, and adds them to the list of whitelisted files that are not encrypted.

UPDATE 3/9/2017: A new variant keeps the original filename intact but appends a random extension and drops ransom notes named _HELP_HELP_HELP_{RANDOM CHARACTERS}_. The ransom payment amount is 1 Bitcoin.

  • Bleeping Computer provides more information about Cerber, found here.
  • FireEye provides more information about the partnership between Cerber and the Dridex spam distributor here.
  • Trend Micro provides a free decryption tool for the first Cerber variant, available here.
  • Check Point provides a free decryption tool for both the Cerber and Cerber2 variants, available here. Additional information about this tool is available from Bleeping Computer here.