The crypto ransomware epidemic keeps taking individuals’ and organizations’ files hostage in pursuit of illegal profit. The mature strain called Cerber currently occupies one of the dominant positions in the online extortion economy due to its flawless encryption mechanism and well-orchestrated distribution campaigns.
This prolific malware lineage has recently spawned a new aggressive specimen. The latest spinoff has been hitting the headlines of security resources for a reason: it leverages an all-new principle of interacting with victims and closes some critical system processes before data encryption begins. That being said, the offending program takes after its predecessors in many ways, including the specificity of crypto implementation and a common Command and Control infrastructure.
Rather than sprinkle HTML and TXT editions of ransom notes across an infected computer, the updated strain now creates a single file called Readme.hta to instruct users. While the wording in this application is almost identical to what its more primitive counterparts used to say, it delivers a bit of customizability through a language selection feature.
This iteration of Cerber stealthily scours an infected computer for personal files and important processes. While doing this, it peeks into local and removable drives as well as network shares. The goal of this activity is to prep a list of entries that will be subject to encryption at the next stage of the compromise. An interesting new approach in this regard is that the ransomware runs the ‘close_process’ script to terminate a predefined array of executables, including synctime.exe, dbsnmp.exe, and sqlagent.exe. It does this so that it can encrypt the data related to these processes.
Cerber leverages the Advanced Encryption Standard (AES) to lock the files it detected during its furtive data scan. This is a symmetric cryptographic algorithm that presupposes the use of the same secret key for encryption and decryption. Security researchers have been able to obtain AES keys in some ransomware incidents, but this does not apply to Cerber. The infection reaches out to its C2 server, requests a unique key to encode the data and does its job without leaving any traces behind.
Aside from the encryption proper, an unwelcome byproduct of this attack is that it makes files unrecognizable. The new variant of this ransomware appends a random four-character extension to all locked entries and replaces the original filenames with strings of 10 hexadecimal characters. Something gibberish like w8x8M5yNqL.a4x3 is an example of what a regular file may turn into.
The above-mentioned Readme.hta recovery manual and a warning image that replaces the desktop wallpaper instruct a victim to follow a link to their personal decryption page. This traffic is secured by The Onion Router (Tor), a popular anonymity network that prevents tracking online. The landing page tells the infected user to buy the Cerber Decryptor application for 1 Bitcoin, or about 630 USD. This ‘special price’ will double unless submitted during five days. By the way, the choice of cryptocurrency as the ransom payment method poses another anonymization vector of the extortionists’ activities.
Here you can also find a guide about how to remove Cerber ransomware and perform file recovery.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.