Home / malware Ransom:Win32/Cerber
First posted on 26 October 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Cerber.
Explanation :
Installation
We have seen this ransomware use the following names for its executable and shortcut files:
- cerber
- encrypted
.exe for example fontdrvhost.exe, wisptis.exe
Whereis taken from a legitimate or "clean" application in the and a timestamp from \kernel32.dll.
It drops a copy of its executable file into a randomly named folder in %APPDATA%, for example:
- %APPDATA% \{b9624424-31e6-a7fd-21e6-3698086a28f5}\fontdrvhost.exe
The threat creates a shortcut link in theto the malware executable so it runs each time you start your PC.
It uses the same name as the executable's name, for example:
\fontdrvhost.lnk
It also modifies the following registry keys so the ransomware runs whenever you start or restart your PC:
- In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example "fontdrvhost"
With data: "", for example%APPDATA%\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe
- In subkey: HKcU\Administrator\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "", for example "fontdrvhost"
With data: ""
- In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: ""
- In subkey: HKCU\Administrator\Software\Microsoft\Command Processor
Sets value: "AutoRun"
With data: ""
- In subkey: HKCU\Control Panel\Desktop
Sets value: "Scrnsave.exe"
With data: ""
The malware can also inject its code into clean processes and it might stop or close antimalware software.
Payload
Encrypts your files
This ransomware encrypts files of a certain type using both the RC4 and RSA algorithms.
It also deletes shadow or backup copies of files by running the command:
\vssadmin.exe delete shadows /all /quiet
It doesn't encrypt files and folders in the following list:
- :\$recycle.bin\
- :\$windows.~bt\
- :\boot\
- :\documents and settings\all users\
- :\documents and settings\default user\
- :\documents and settings\localservice\
- :\documents and settings\networkservice\
- :\program files (x86)\
- :\program files\
- :\programdata\
- :\recovery\
- :\recycler\
- :\users\all users\
- :\windows.old\
- :\windows\
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\adobe\flash player\
- \appData\roaming\apple computer\safari\
- \appdata\roaming\ati\
- \appdata\roaming\google\
- \appdata\roaming\intel corporation\
- \appdata\roaming\intel\
- \appdata\roaming\macromedia\flash player\
- \appdata\roaming\microsoft\internet explorer\
- \appdata\roaming\microsoft\windows\
- \appdata\roaming\mozilla\
- \appdata\roaming\nvidia\
- \appdata\roaming\opera software\
- \appdata\roaming\opera\
- \application data\microsoft\
- \local settings\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\ - this will be where you choose to install the Tor browser to
- bootsect.bak
- iconcache.db
- ntuser.dat
- thumbs.db
Files in all other folders on fixed, removable, and RAMdisks, however, will be encrypted if the files are larger than 1KB and have the following extensions:
- .1cd
- .3dm
- .3ds
- .3fr
- .3g2
- .3gp
- .3pr
- .7z
- .7zip
- .aac
- .ab4
- .abd
- .acc
- .accdb
- .accde
- .accdr
- .accdt
- .ach
- .acr
- .act
- .adb
- .adp
- .ads
- .agdl
- .ai
- .aiff
- .ait
- .al
- .aoi
- .apj
- .apk
- .arw
- .ascx
- .asf
- .asm
- .asp
- .aspx
- .asset
- .asx
- .atb
- .avi
- .awg
- .back
- .backup
- .backupdb
- .bak
- .bank
- .bay
- .bdb
- .bgt
- .bik
- .bin
- .bkp
- .blend
- .bmp
- .bpw
- .bsa
- .c
- .cash
- .cdb
- .cdf
- .cdr
- .cdr3
- .cdr4
- .cdr5
- .cdr6
- .cdrw
- .cdx
- .ce1
- .ce2
- .cer
- .cfg
- .cfn
- .cgm
- .cib
- .class
- .cls
- .cmt
- .config
- .contact
- .cpi
- .cpp
- .cr2
- .craw
- .crt
- .crw
- .cry
- .cs
- .csh
- .csl
- .css
- .csv
- .d3dbsp
- .dac
- .das
- .dat
- .db
- .db_journal
- .db3
- .dbf
- .dbx
- .dc2
- .dcr
- .dcs
- .ddd
- .ddoc
- .ddrw
- .dds
- .def
- .der
- .des
- .design
- .dgc
- .dgn
- .dit
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .drf
- .drw
- .dtd
- .dwg
- .dxb
- .dxf
- .dxg
- .edb
- .eml
- .eps
- .erbsql
- .erf
- .exf
- .fdb
- .ffd
- .fff
- .fh
- .fhd
- .fla
- .flac
- .flb
- .flf
- .flv
- .flvv
- .forge
- .fpx
- .fxg
- .gbr
- .gho
- .gif
- .gray
- .grey
- .groups
- .gry
- .h
- .hbk
- .hdd
- .hpp
- .html
- .ibank
- .ibd
- .ibz
- .idx
- .iif
- .iiq
- .incpas
- .indd
- .info
- .info_
- .iwi
- .jar
- .java
- .jnt
- .jpe
- .jpeg
- .jpg
- .js
- .json
- .k2p
- .kc2
- .kdbx
- .kdc
- .key
- .kpdx
- .kwm
- .laccdb
- .lbf
- .lck
- .ldf
- .lit
- .litemod
- .litesql
- .lock
- .ltx
- .lua
- .m
- .m2ts
- .m3u
- .m4a
- .m4p
- .m4v
- .ma
- .mab
- .mapimail
- .max
- .mbx
- .md
- .mdb
- .mdc
- .mdf
- .mef
- .mfw
- .mid
- .mkv
- .mlb
- .mmw
- .mny
- .money
- .moneywell
- .mos
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .mrw
- .msf
- .msg
- .myd
- .nd
- .ndd
- .ndf
- .nef
- .nk2
- .nop
- .nrw
- .ns2
- .ns3
- .ns4
- .nsd
- .nsf
- .nsg
- .nsh
- .nvram
- .nwb
- .nx2
- .nxl
- .nyf
- .oab
- .obj
- .odb
- .odc
- .odf
- .odg
- .odm
- .odp
- .ods
- .odt
- .ogg
- .oil
- .omg
- .one
- .orf
- .ost
- .otg
- .oth
- .otp
- .ots
- .ott
- .p12
- .p7b
- .p7c
- .pab
- .pages
- .pas
- .pat
- .pbf
- .pcd
- .pct
- .pdb
- .pdd
- .pef
- .pem
- .pfx
- .php
- .pif
- .pl
- .plc
- .plus_muhd
- .pm
- .pm!
- .pmi
- .pmj
- .pml
- .pmm
- .pmo
- .pmr
- .pnc
- .pnd
- .png
- .pnx
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptx
- .prf
- .private
- .ps
- .psafe3
- .psd
- .pspimage
- .pst
- .ptx
- .pub
- .pwm
- .py
- .qba
- .qbb
- .qbm
- .qbr
- .qbw
- .qbx
- .qby
- .qcow
- .qcow2
- .qed
- .qtb
- .r3d
- .raf
- .rar
- .rat
- .raw
- .rdb
- .re4
- .rm
- .rtf
- .rvt
- .rw2
- .rwl
- .rwz
- .s3db
- .safe
- .sas7bdat
- .sav
- .save
- .say
- .sd0
- .sda
- .sdb
- .sdf
- .sh
- .sldm
- .sldx
- .slm
- .sql
- .sqlite
- .sqlite3
- .sqlitedb
- .sqlite-shm
- .sqlite-wal
- .sr2
- .srb
- .srf
- .srs
- .srt
- .srw
- .st4
- .st5
- .st6
- .st7
- .st8
- .stc
- .std
- .sti
- .stl
- .stm
- .stw
- .stx
- .svg
- .swf
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .tax
- .tbb
- .tbk
- .tbn
- .tex
- .tga
- .thm
- .tif
- .tiff
- .tlg
- .tlx
- .txt
- .upk
- .usr
- .vbox
- .vdi
- .vhd
- .vhdx
- .vmdk
- .vmsd
- .vmx
- .vmxf
- .vob
- .vpd
- .vsd
- .wab
- .wad
- .wallet
- .war
- .wav
- .wb2
- .wma
- .wmf
- .wmv
- .wpd
- .wps
- .x11
- .x3f
- .xis
- .xla
- .xlam
- .xlk
- .xlm
- .xlr
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .xps
- .xxx
- .ycbcra
- .yuv
- .zip
The threat will not infect files on machines that have the following default system language:
- LANG_RUSSIAN
- LANG_UKRAINIAN
- LANG_BELARUSIAN
- LANG_TAJIK
- LANG_ARMENIAN
- SUBLANG_AZERI_LATIN
- LANG_GEORGIAN
- LANG_KAZAK
- LANG_KYRGYZ
- LANG_TURKMEN
- SUBLANG_UZBEK_LATIN
- LANG_TATAR (Russia)
- LANG_AZERI (Azerbaijan, Cyrillic)
- LANG_UZBEK (Uzbekistan, Cyrillic)
After the files are encrypted, the ransomware renames the files to 10 random characters and replaces the file extension with cerber, cerber2, or cerber3, for example:
- file.png is renamed to [5kdAaBbL3d].cerber
It creates the following files in each folder where it has encrypted files:
- # DECRYPT MY FILES #.HTML
- # DECRYPT MY FILES #.VBS
- # DECRYPT MY FILES #.TXT
The format of the file name for these files may change. We have also noticed the format # HELP DECRYPT #, and the use of a .url file instead of a .vbs file.
If present, the .vbs file will be run by the threat. It is a VB script that calls the Windows text-to-speech "API SpVoice" to read the following text:
- Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!
The script contains the following code:
If the API cannot call text-to-speech software, you might see the following pop up with error code 0x8004503A.
The ransomware shows a ransom note as an HTML page in your web browser similar to the following:
The threat can also open the plain text file (# DECRYPT MY FILES #.TXT) with the same information, as follows:
The text of the notes both explain that your documents, photos, and other files have been encrypted.
The plain text file and HTML page instruct you to download the Tor browser and give you a link you must open in the Tor browser.
The site you are directed to asks you to choose your language and provides a list of images of flags and languages to choose from.
You will also be asked to enter a CAPTCHA verification code to proceed on the website:
The site then shows a page that explains how to recover your files. You are told you must pay a ransom in Bitcoins to a specified Bitcoin address. The page includes instructions on how to buy Bitcoins and how to transfer them to the address.
Connects to a remote host
We have seen this malware connect to a remote host. It will report encryption status information, including the following data:
- Operating system
- 64-bit processor
- If the user has administrator privileges
- Number of files encrypted
- Reason why the encryption was stopped (for example, the machine was in the list of languages that are not encrypted)
It might use Tor, or a server such as the following:
- 87.98.
.0/19 using port 6891 - 31.184.
.0/23 using port 6892
Some information was gathered from analysis of the following files (SHA1s):
- 193f407a2f0c7e1eaa65c54cd9115c418881de42
- C60AB834453E6C1865EA2A06E4C19EA83982C1F9
- E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2
- 40cbc4a9481b946cc821d4f7543519e2507a052b
Cerber ransomware behavior updates as of October 3, 2016
The new Cerber variant released a different behavior configuration data.
It generates encrypted file name extension using pseudo-random format "[0-9a-zA-Z_-]{10}.{4} ". For example: azt2geee7i.9797
The configuration contains mostly a list of the following database-related processes that Cerber terminates to successfully encrypt files:
- "msftesql.exe",
- "sqlagent.exe",
- "sqlbrowser.exe",
- "sqlservr.exe",
- "sqlwriter.exe",
- "oracle.exe",
- "ocssd.exe",
- "dbsnmp.exe",
- "synctime.exe",
- "mydesktopqos.exe",
- "agntsvc.exeisqlplussvc.exe",
- "xfssvccon.exe",
- "mydesktopservice.exe",
- "ocautoupds.exe",
- "agntsvc.exeagntsvc.exe",
- "agntsvc.exeencsvc.exe",
- "firefoxconfig.exe",
- "tbirdconfig.exe",
- "ocomm.exe",
- "mysqld.exe",
- "mysqld-nt.exe",
- "mysqld-opt.exe",
- "dbeng50.exe",
- "sqbcoreservice.exe",
The decryption instruction comes in as a readme.hta file (see screenshots below) which asks for a payment of 0.8595 Bitcoins ($524). It increases to 1.79 Bitcoins ($1049) after five days.
Analysis by Carmen Liang and Rodel FinonesLast update 26 October 2016