Cerber ransomware evolution By Will Wisser Posted on October 28, 2016 8 min read 1 2,373 The abnormally rapid progress of the crypto ransomware industry over the past several years has induced a delineation between the author and the actual distributor of an infection. The underground affiliate model called RaaS (Ransomware as a Service) has made this extremely dangerous extortion contrivance readily available for dummies and high-profile threat actors alike. The sophisticated file-encrypting plague called Cerber is one of the instigators of such an adverse trend, making the global epidemic run rampant and get out of hand. Because it is circulating on a RaaS basis, multiple groups of online perpetrators can join this malicious network via darknet resources, spread it and share their ransom revenue with the devs. There are reportedly about 160 active Cerber campaigns running concurrently at the time of this writing. Having emerged in late February 2016, this strain has spawned four editions within the eight months of its operation. Every new variant featured code improvements, propagation tweaks and external changes. This article is going to highlight the essentials of these spinoffs and provide the big picture of how the Cerber malady is moving on. Cerber version 1: the ‘eloquent’ inception The original edition of Cerber was distributed via the Magnitude and Nuclear exploit kits that took advantage of a 0day Flash exploit. Later on, the malefactors began to also engage the phishing vector that relied on the use of harmful email attachments. This iteration was intelligent enough to discontinue the attack if it detected that the victim used a Russian interface of Windows operating system. This property is likely to hint at the origin of the crooks who are unwilling to deal with compatriots and people living in a number of Eastern European states. The version under consideration went with a JSON configuration file, which defined the above-mentioned country restrictions, as well as the range of file extensions to encrypt and ignore on the target computer. The Trojan would scan all local and removable drives, as well as mapped and unmapped network shares, in order to find data entries with extensions that matched its hard-coded list. Then, it encrypted each one with AES cipher and appended the .cerber suffix. Filenames got affected too – the pest replaced them with 10 hexadecimal characters and ultimately made an arbitrary file look like YnUo0IHXf8.cerber. Cerber version 1 in action In addition to this, the offending program dropped the following ransom notes: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These would appear inside encrypted folders and as new icons on the desktop. The one in the VBS format is particularly interesting. It made Cerber v1 the first ransomware that literally pronounced the warning message to its victims. This VBScript file contained several simple lines of code that instructed the PC to convert the fragment of predefined text into speech and produce the output over the machine’s speakers when executed. Here are the contents of this file: # DECRYPT MY FILES #.vbs file with text-to-speech feature The HTML and TXT ransom manuals basically contained the same alert, plus several preliminary steps to recover the hostage data. In particular, they would instruct the user to download and install Tor Browser, run it and enter a specified Tor address in order to visit their personal dashboard, or the Cerber Decryptor page. This resource allowed the victim to select one of 12 available languages before proceeding. The page informed the infected person about the size of the ransom, which was set to 1.24 Bitcoin. It also emphasized that this was a “special price” valid for only seven days. The countdown displayed on the Cerber Decryptor page would let the victim know how much time they have before the ransom increases to 2.48 Bitcoin. Cerber Decryptor page To monitor the status of their buyout transaction, victims could use the Payments History section on the same page. The automatic decryption tool would become available to download if a payment was sent and verified on the other end. All in all, this version demonstrated how unique and well-orchestrated the campaign was. Cerber version 2: multiple tweaks, stronger crypto The second edition of Cerber was discovered in early August 2016, about five months after the ransomware initially went live. Unlike the predecessor, its dominant spreading technique revolved around social engineering rather than exploit kits. The threat actors opted for harnessing known vulnerabilities of Microsoft Office macros to drop the downloader behind the scenes. The targeted Windows users would receive booby-trapped .docm files that opened up as blank Word documents and displayed a prompt to enable macros and thus purportedly make the contents readable. Obviously, there is a solid reason why macros are turned off by default, so be sure to keep this preset as it is. Other than that, this iteration used a different extension to brand the crippled files. It concatenated the .cerber2 string to them, hence the name of this version. The set of ransom notes remained the same, consisting of three objects named # DECRYPT MY FILES # in .html, .txt and .vbs formats. The wording of these decryption roadmaps didn’t undergo any conspicuous changes. Cerber version 2 switched to a new file extension Another modification was that Cerber2 started using a wallpaper tag to replace victims’ desktop background with a scary image that reflected the initial data restoration demands. The warning contained six URLs, including Tor-protected .onion ones, which pointed to the infected user’s personal page. Desktop background displayed by Cerber2 Not only did Cerber v2 change externally, but it also got enhanced on the inside. First off, it came to use a new wrapper, which helped the offending code fly under the radar of antivirus software. Furthermore, a major tweak cryptography-wise consisted in the fact that the ransomware began generating AES keys via the CryptGenRandom function, which is part of Microsoft CryptoAPI. The size of the keys doubled as compared to the previous version, going up from 16 to 32 bytes. By adding some extra entropy to the mix, the extortionists were able to make TrendMicro’s previously developed free decryptor inefficient with this edition. Cerber version 3: nothing but a replica Cerber v2 turned out to be relatively short-lived. Less than a month into the campaign, an unexpected successor took effect. But was the third generation a game changer? The answer is No. The differences were entirely external, whereas the cryptographic properties and the C2 infrastructure remained unaltered. The new offspring of the notorious extortion-oriented parent would tag the .cerber3 extension on to the encrypted files. Cerber version 3 effects Another conspicuous alteration had to do with the names of ransom notes. The # DECRYPT MY FILES #.html (.txt, .vbs) combo got replaced with counterparts called # HELP DECRYPT #.html (.txt, .url). The warnings and walkthroughs inside these files underwent no particular change, perhaps the only difference being a reference to some weird community dubbed the “C3rber Ransomware”. Cerber3 would set a desktop background that stuck with the same color scheme and wording as before. Furthermore, the list of targeted files, the cryptosystem leveraged, and the Tor-based setup of victims’ personal decryptor pages persevered. Ultimately, this update only introduced a few superficial adjustments. Cerber v4: random extensions, new ransom note The variant currently in rotation was discovered in early October 2016. As opposed to its forerunner, this edition of Cerber has quite a few new features and enhancements under the hood. First off, it broke the previous successive pattern of encrypted file extensions format, that is, .cerber[version number]. Instead, it appends a random four-character string to every affected data item. This new algorithm results in transforming an arbitrary filename into an entry like oeFKrsVXXv.96b3. Note that the extension is preceded by 10 gibberish characters. Cerber v4 encrypted random extension files and the ransom note It turns out that Cerber v4 grabs the victim-specific extension for encoded files from the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. The corresponding value is unique to a user and consists of five hyphenated blocks of hexadecimal characters. The fourth block in this string becomes the new extension that Cerber fetches and concatenates to the enciphered files. The infection also uses the first three blocks of the MachineGuid parameter to assign names to its own components in the host system, including the ransomware folder. Another change involves the alerting mechanism. Rather than sprinkle its ransom notes in several formats throughout the workstation, the new Cerber creates a single edition of its decrypt manual called Readme.hta. This is an HTML application that allows a victim to select their preferred language. The text in it is generally the same as in ransom instruction documents dropped by earlier iterations of the pest. New Readme.hta ransom note’s contents The infection still provides a number of personal page URLs that the user should visit to pay the ransom. The landing page called “Cerber Decryptor” informs the victim of the amount of Bitcoin to submit so that the automatic decrypt tool becomes available. The original size is 1 BTC. After the “grace period” of five days expires, the ransom will double. As before, there is a countdown showing how much time is left before this increase takes effect. Cerber v4 decryptor page A noteworthy enhancement in this spinoff is a more sophisticated anti-VM technique that prevents security researchers from examining the ransomware code in an isolated environment. This is one of the multiple reasons why analysts haven’t succeeded in decrypting Cerber thus far. Cerber Ransomware 4.1.1: version number now indicated A new sequel of the Cerber thriller surfaced around November 1, roughly a month after the previous update. With the earlier editions, researchers had to reverse engineer the ransomware code to figure out the version thereof. This hurdle is no longer an issue, though, because the version number is now disclosed directly on the desktop wallpaper that takes over the original user-defined background image. Cerber version number visible in the warning screen The new ransom note reads, “Your documents, photos, databases and other important files have been encrypted by Cerber Ransomware 4.1.1.” The preliminary decryption tips on the scary wallpaper are reiterated in the contents of Readme.hta application that analysts and victims are already familiar with. Furthermore, it’s still impossible to work out what exactly has been encoded, because the Trojan completely scrambles filenames and transmutes them into random 10-character strings. The file extension tweaking principle hasn’t changed either: the offending code derives the new extension from the MachineGuid registry value, so it’s computer-specific. Given the indication of Cerber version details in the ransom manual, the criminals may gave decided to step away from the paradigm where updates have to be big and infrequent. Instead, it’s likely that there will be a greater number of smaller, interim versions of the infection emerging fairly often henceforth. Cerber version 4.1.5 rolled out This edition was discovered about a week after the 4.1.1 variant emerged. Its desktop wallpaper renders basically the same warning, the only difference being the new version number 4.1.5 indicated on it. Aside from that, this release features hardly any novelty externally. It still appends encrypted files with a four-character extension which is unique to every victim. The ransom notes are still provided via the Readme.hta application. Cerber Ransomware 4.1.5 wallpaper The payload delivery method for Cerber Ransomware 4.1.5 is based on social engineering. The carrier is a ZIP email attachment with a fake invoice inside. When the recipient opens this Microsoft Word file for details, it turns out to be a protected document that doesn’t display any informative content. To make it readable, the user is prompted to click the “Enable Content” button on a yellow bar that reads “Security Warning”. This is a widespread trick that results in activating macros which, in their turn, serve as the medium for exploitation and execution of malicious code remotely. Cerber 4.1.5 devs exploit MS Word macros to install the ransomware Another characteristic of this spinoff that’s worth mentioning is that it harvests extensive information about victims and transmits these details over to its C2 servers. This feature suggests that the ransomware isn’t only an extortion tool but also a data mining entity. Identity theft is one of the likely adverse effects of this activity. Cerber Ransomware 4.1.6, a bigger threat to enterprises Cerber continues to instill fear through its advanced propagation tactics and still uncrackable data encryption. The 4.1.6 iteration of this ransomware is utilizing a more versatile range of contamination vectors, which include the use of spam and rogue software installers. Interestingly, the threat actors were found to use torrent sites for hosting and distributing the booby-trapped applications, thus increasing the number of potential victims considerably. Cerber 4.1.6 wallpaper An alarming fact discovered about Cerber Ransomware 4.1.6 is that it targets a wider scope of database types on computers. This is a wakeup call for organizations that tend to leverage databases more heavily for their day-to-date operation than end users. Once an enterprise machine is infected, the malady proliferates across the corporate network and locks down the most critical information assets. A stronger focus on databases, of course, doesn’t make the new edition of Cerber any less dangerous for regular users. Cerber Ransomware 5.0.0 / 5.0.1 featuring “VIP” propagation At first sight, Cerber version 5.0.0 and its successor 5.0.1 aren’t different from the 4.x.x series of the plague. The new editions still stick with the desktop wallpaper theme where the version number is indicated in the clear. The ransomware still replaces filenames with 10 random hexadecimal chars followed by a four-character extension that’s computer-specific. The ransom note is still called Readme.hta. As opposed to their predecessors, though, the new variants boast an enhanced proliferation methodology. Cerber Ransomware 5.0.0 desktop background The 5th generation of Cerber relies on the exploit kit called RIG-v for proliferation. This is a high-profile malware deployment tool that operates via a network of compromised sites and exploits software vulnerabilities to execute perpetrating code on computers. Unlike the RIG EK proper, this build of the kit is considered to be a “VIP” edition. It leverages the RC4 cryptosystem to obfuscate the ransomware loader and thereby keep security software from intercepting it. The ransom is payable in Bitcoin via the Cerber Decryptor page, which is a Tor gateway that protects the criminals’ identities from being uncovered. The amount to submit is the BTC equivalent of 500 USD. The threat actors provide an option of deciphering 1 file free of charge. To avoid the necessity of paying up due to the Cerber 5.0.0 or 5.0.1 compromise, users should make sure their software, including Adobe Flash Player and Java, are up to date. HELP_HELP_HELP edition of Cerber: what has changed? Another noteworthy adjustment of Cerber’s modus operandi took place in late January, 2017. Having run experiments with the disclosure of ransomware version on the desktop warning wallpaper for a while, its ill-minded devs ended up dropping this approach. Therefore, the new variant no longer makes victims aware of what specific iteration they are dealing with. One more tweak has to do with the color scheme of the alert shown on desktop background. The highlight has turned red and the text proper is white, so the mix of black and green is now history in this context. These are purely cosmetic changes, though. The new design of Cerber desktop warning and modified ransom notes The updated sample of this perpetrating software goes with a new set of ransom notes. It leaves two files called _HELP_HELP_HELP_[random_8_characters].hta/jpg on the infected PC’s desktop as well as folders with hostage files. The HTA object denotes an HTML application which, when opened, allows for some customization. In particular, victims can select their preferred language. The recovery instructions have not changed as compared to the previous version. Victims are still expected to download and install Tor Browser in order to visit their personal decryption page. As before, the Cerber Decryptor service displays a ticking countdown timer to inform the user when the 7-day “grace” period expires, during which the ransom is relatively low. Of course, the Bitcoin address and the size of the ransom are still inalienable attributes provided on the recovery page. Other than the color change and the new name of ransom manuals, the HELP_HELP_HELP threat is pretty much the same ol’ Cerber. Its cryptographic facet has not been modified. It interacts with the Command & Control server over UDP protocol. And it still scrambles filenames according to the old pattern, where the extension is a set of 4 hexadecimal characters derived from the plagued computer’s MachineGuid value. Summary Cerber has become an inalienable component of the contemporary ransomware ecosystem. It is currently one of the top crypto menaces in the wild, along with its direct competitor Locky. The four versions described above demonstrate that the RaaS affiliate platform behind Cerber is an evolving cybercrime environment updated regularly. While its creators are probably busy crafting a new, improved edition as of this writing, it’s highly recommended to focus on prevention. Do not double-click on suspicious email attachments, keep the Firewall enabled, use a dependable antimalware suite, and be sure to back up the data that you can’t afford to lose.