MENUMenuIcon OUR STORY

SLASHNEXT LABS

THE KNOWLEDGE CENTER

BLOG

VIEW CATEGORIESHIDE CATEGORIES
Icon

Cerber Ransomware

Cerber Ransomware

“Cerber” is widely believed to have been developed by Russian coders and is the latest in a rash of ransomware spotted by SlashNext Labs.   It is distributed through Russian Hacking forums and is marketed by its developers as Ransomware-as-a-Service or RaaS, allowing them to earn a small commission on each payment the ransomware generates.

When Cerber is run for the first time, it checks the machine’s location using “ipinfo.io/json”. If the machine is located in former soviet countries, it will terminate without encrypting files. Otherwise, Cerber encrypts over 350 file types using 256 bit AES-encryption.  Once encrypted, files are renamed with a .cerber extension.  By not targeting victims in the soviet region the developers seem to be attempting to avoid scrutiny from local law enforcement agencies.

If the machine is located outside of Cerber’s list of former soviet countries, it will install itself in %APPDATA% and name itself with a random executable file name such as “sdbinst.exe”, “eiujcu.exe”, etc.

Picture1

Before encrypting files, Cerber displays an error message to force a PC reboot.

Picture2

The PC will boot in safe mode with networking support:

“C:\Windows\System32\bcdedit.exe” /set {current} safeboot network

and the encryption process begins.

The encryption process scans the PC to find files with various extensions and encrypts each file using 256 bit AES-encryption.  Once encrypted the file’s name is changed to include the “. cerber” extension.

Once the encryption process is finished, Cerber leaves multiple ransom notes on the file system like:

#DECRYPT MY FILES #.html

#DECRYPT MY FILES #.txt

#DECRYPT MY FILES #.vbs

The .vbs file is especially interesting because this script file uses Windows default Text-to-Speech engine to read and speak ransom notes to the victims – a powerful scare tactic.

Ransom instructions look like this:

Picture6

Opening the link above in the Tor browser navigates to a page allowing the user to select his/her preferred language.

Picture4

Selecting a language requires the user to enter a captcha, after which a page displaying ransom payment information and instructions for downloading CerberDecryptor are displayed. The site states that the ransom amount will be doubled if not payed within 7 days.

Picture5

Once payment is processed, a unique download link for the Decrypter tool will be provided.

As of this writing (20-Mar-2016) bitcoins are trading at US$410.19 so the hackers are asking for approximately US$508 in ransom.  The sum is designed to maximize the hacker’s profit.  The hackers know that paying US$513 to retrieve important information is likely cheaper for a business than recreating the lost information.

This previous blog post provides several “best practices” to help minimize the impact of ransomware in your organization.