Files that became encrypted and appended with a random four-character extension indicate a ransomware attack that requires an urgent fix on the user’s end.
What is Cerber ransomware?(July 2017)
The term “Cerber”, which is somewhat reminiscent of a scary mythical creature’s name, denotes a piece of ransomware that may cause infected people just about as much terror. The main concern for victims in terms of this threat has to do with the risk of losing their personal files, which is a likely outcome of the attack if the extortionists’ demands are not met. The virus uses AES cryptographic standard to encrypt the user’s most important files, focusing on popular data formats found on the target computer’s hard drive, network shares and removable media. On the outside, these items become considerably skewed as well – the filenames undergo scrambling beyond identification, where each one morphs into a random 10-character string. In addition to this, the ransomware concatenates four hexadecimal characters to encrypted data entries. This suffix is unique for every individual extortion scenario, because it matches a computer-specific MachineGuid registry value. As a result, a sample document will turn into a gibberish string like LQpHq5aNrJ.3f81. Obviously, the user is unable to open any of those.
When the Cerber virus is installed, the first thing it does is determine the country that the machine is located in. If it’s in a country that matches the infection’s hard-coded blacklist mostly composed of Eastern European states, then no further action is taken. Otherwise, the targeted system gets configured to go through several reboots so that the malicious code takes effect. To this end, the ransomware displays a number of rogue system notifications which, once closed manually, trigger a forcible restart of the PC.
The next phase is encryption proper. The malware disregards objects in several directories, including Program Files, ProgramData, Windows, Drivers, and AppData\Local. In the meanwhile, it encodes everything found during the HDD and network drives scan with the above-mentioned symmetric Advanced Encryption Standard. Cerber then adds ransom instructions to the desktop as well as each folder that got hit. The original variant of the perpetrating program would drop the following walkthroughs: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt and # DECRYPT MY FILES #.vbs. The latest edition of this Trojan called CRBR Encryptor, which was discovered in July 2017, has switched to using a different set of decryption how-to manuals, namely _R_E_A_D___T_H_I_S___[random]_.hta and _R_E_A_D___T_H_I_S___[random]_.txt. An additional JPEG version of ransom notes straightforwardly replaces the original desktop wallpaper to put additional pressure on the infected person.
According to these notes, the victim needs to navigate to a Tor page titled “Cerber Decryptor” and use it to send 0.5 Bitcoin (about $1,100) as the ransom, doing which will supposedly make the file decryption tool available to download. The page also displays a countdown timer to add some urgency to the mix so that the plagued user submits the cryptocurrency within five days, or else the sum will become 1 Bitcoin. The darknet service in question allows deciphering one file free of charge, but that’s certainly cold comfort given the big picture of the quandary.
An unordinary hallmark sign of this infection is that it’s equipped with a VBScript based text-to-speech component that recurrently plays an audio message explaining what happened to the data and how to get it back. The message goes, “Your documents, photos, databases and other important files have been encrypted!”. This is, obviously, a clever scare tactic that makes the attack an awful nuisance, not just a commonplace cipher-backed predicament. Notwithstanding the whole sophistication of Cerber ransomware, some techniques can help victims restore their files without having to pay the fee or somehow crack the strong encryption.
Cerber ransomware automated removal and data recovery
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Data recovery toolkit to the rescue
Some strains of ransomware delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Data Recovery Pro by ParetoLogic features this type of capability therefore it can be applied in ransom attack scenarios to at least get the most important files back. So download and install the program, run a scan and let it do its job.
Cerber ransomware manual removal
Some ransomware strains terminate themselves after completing the encryption job on a computer, but some don’t. Furthermore, the Cerber virus may prevent victims from using popular antimalware tools in order to stay on board for as long as possible. Under the circumstances, it may be necessary to utilize the Safe Mode with Networking or System Restore functionality.
- Restart the machine. When the system begins loading back up, keep pressing the F8 key with short intervals. The Windows Advanced Options Menu (Advanced Boot Options) screen will appear.
- Use arrow keys to select Safe Mode with Networking and hit Enter. Log on with the user account infected by the ransomware.
- Click on the Search icon next to the Start menu button. Type msconfig in the search field and select the System Configuration option in the results. Go to the Boot tab in the upper part of the GUI.
- Under Boot options, select Safe boot and click the Apply button. A prompt will appear to reboot the computer so that the changes take effect. Select the Restart option and wait for the system to load into Safe Mode. Again, log on with the ransomware-stricken user account.
In Safe Mode, the ransom Trojan won’t keep security software from running or otherwise thwart troubleshooting. Open your preferred web browser, download and install an antimalware tool of choice and start a full system scan. Have all the detected ransomware components removed in a hassle-free way.
- Open Windows Advanced Options Menu as described in the previous section: hit F8 repeatedly when the PC is starting up. Use arrow keys to highlight the Safe Mode with Command Prompt entry. Hit Enter.
- In the Command Prompt window, type cd restore and hit Enter
- Type rstrui.exe in the new command line and press Enter
- When the System Restore screen pops up, click Next, select a restore point that predates the contamination, and use the application’s controls to roll back the system to this earlier state.
Be advised that even after the ransomware is removed, files will still be encrypted and inaccessible. The malicious code cleanup part, however, is important because it keeps a relapse of the infection from occurring further on and eliminates all opportunistic malware.
Checking one’s options regarding this workaround is doable in two ways: through the Properties menu of each file or by means of the remarkable open-source tool called Shadow Explorer. We recommend the software-based way because it’s automated, hence faster and easier. Just install the app and use its intuitive controls to get previous versions of the encrypted objects reinstated.
Alternatively, you can leverage the Previous Versions feature, which is native to Windows operating system. This method is more cumbersome that the use of ShadowExplorer, but it can help restore the most important individual files on condition that the ransomware failed to disable the Volume Snapshot Service on the computer. Right-click on a file of choice and select Properties. Then, go to the Previous Versions tab as illustrated below.
Go ahead and pick the file’s latest backup version on the list. Use the Copy or Restore buttons to reinstate this object to a new path or to its original folder, respectively.
- Toggle your email provider’s anti-spam settings to filter out all the potentially harmful incoming messages. Raising the bar beyond the default protection is an important countermeasure for ransom Trojans.
- Define specific file extension restrictions in your email system. Make sure that attachments with the following extensions are blacklisted: .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat. Also, treat ZIP archives in received messages with extreme caution.
- Rename the vssadmin.exe process so that ransomware is unable to obliterate all Shadow Volume Copies of your files in one shot.
- Keep your Firewall active at all times. It can prevent crypto ransomware from communicating with its C&C server. This way, the threat won’t be able to obtain cryptographic keys and lock your files.
- Back up your files regularly, at least the most important ones. This recommendation is self-explanatory. A ransomware attack isn’t an issue as long as you keep unaffected copies of your data in a safe place.
- Use an effective antimalware suite. There are security tools that identify ransomware-specific behavior and block the infection before it can do any harm.
These techniques are certainly not a cure-all, but they will add an extra layer of ransomware protection to your security setup.
Learn how the Cerber ransomware has evolved over time
The abnormally rapid progress of the crypto ransomware industry over the past several years has induced a delineation between the author and the actual distributor of an infection. The underground affiliate model called RaaS (Ransomware as a Service) has made this extremely dangerous extortion contrivance readily available for dummies and high-profile threat actors alike.
The sophisticated file-encrypting plague called Cerber is one of the instigators of such an adverse trend, making the global epidemic run rampant and get out of hand. Because it is circulating on a RaaS basis, multiple groups of online perpetrators can join this malicious network via darknet resources, spread it and share their ransom revenue with the devs. There are reportedly about 160 active Cerber campaigns running concurrently at the time of this writing.
Having emerged in late February 2016, this strain has spawned four editions within the eight months of its operation. Every new variant featured code improvements, propagation tweaks and external changes. This article is going to highlight the essentials of these spinoffs and provide the big picture of how the Cerber malady is moving on.
The version under consideration went with a JSON configuration file, which defined the above-mentioned country restrictions, as well as the range of file extensions to encrypt and ignore on the target computer. The Trojan would scan all local and removable drives, as well as mapped and unmapped network shares, in order to find data entries with extensions that matched its hard-coded list. Then, it encrypted each one with AES cipher and appended the .cerber suffix. Filenames got affected too – the pest replaced them with 10 hexadecimal characters and ultimately made an arbitrary file look like YnUo0IHXf8.cerber.
In addition to this, the offending program dropped the following ransom notes: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These would appear inside encrypted folders and as new icons on the desktop. The one in the VBS format is particularly interesting. It made Cerber v1 the first ransomware that literally pronounced the warning message to its victims. This VBScript file contained several simple lines of code that instructed the PC to convert the fragment of predefined text into speech and produce the output over the machine’s speakers when executed. Here are the contents of this file:
The HTML and TXT ransom manuals basically contained the same alert, plus several preliminary steps to recover the hostage data. In particular, they would instruct the user to download and install Tor Browser, run it and enter a specified Tor address in order to visit their personal dashboard, or the Cerber Decryptor page. This resource allowed the victim to select one of 12 available languages before proceeding. The page informed the infected person about the size of the ransom, which was set to 1.24 Bitcoin. It also emphasized that this was a “special price” valid for only seven days. The countdown displayed on the Cerber Decryptor page would let the victim know how much time they have before the ransom increases to 2.48 Bitcoin.
To monitor the status of their buyout transaction, victims could use the Payments History section on the same page. The automatic decryption tool would become available to download if a payment was sent and verified on the other end. All in all, this version demonstrated how unique and well-orchestrated the campaign was.
Other than that, this iteration used a different extension to brand the crippled files. It concatenated the .cerber2 string to them, hence the name of this version. The set of ransom notes remained the same, consisting of three objects named # DECRYPT MY FILES # in .html, .txt and .vbs formats. The wording of these decryption roadmaps didn’t undergo any conspicuous changes.
Another modification was that Cerber2 started using a wallpaper tag to replace victims’ desktop background with a scary image that reflected the initial data restoration demands. The warning contained six URLs, including Tor-protected .onion ones, which pointed to the infected user’s personal page.
Not only did Cerber v2 change externally, but it also got enhanced on the inside. First off, it came to use a new wrapper, which helped the offending code fly under the radar of antivirus software. Furthermore, a major tweak cryptography-wise consisted in the fact that the ransomware began generating AES keys via the CryptGenRandom function, which is part of Microsoft CryptoAPI. The size of the keys doubled as compared to the previous version, going up from 16 to 32 bytes. By adding some extra entropy to the mix, the extortionists were able to make TrendMicro’s previously developed free decryptor inefficient with this edition.
Another conspicuous alteration had to do with the names of ransom notes. The # DECRYPT MY FILES #.html (.txt, .vbs) combo got replaced with counterparts called # HELP DECRYPT #.html (.txt, .url). The warnings and walkthroughs inside these files underwent no particular change, perhaps the only difference being a reference to some weird community dubbed the “C3rber Ransomware”.
Cerber3 would set a desktop background that stuck with the same color scheme and wording as before. Furthermore, the list of targeted files, the cryptosystem leveraged, and the Tor-based setup of victims’ personal decryptor pages persevered. Ultimately, this update only introduced a few superficial adjustments.
It turns out that Cerber v4 grabs the victim-specific extension for encoded files from the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. The corresponding value is unique to a user and consists of five hyphenated blocks of hexadecimal characters. The fourth block in this string becomes the new extension that Cerber fetches and concatenates to the enciphered files. The infection also uses the first three blocks of the MachineGuid parameter to assign names to its own components in the host system, including the ransomware folder.
Another change involves the alerting mechanism. Rather than sprinkle its ransom notes in several formats throughout the workstation, the new Cerber creates a single edition of its decrypt manual called Readme.hta. This is an HTML application that allows a victim to select their preferred language. The text in it is generally the same as in ransom instruction documents dropped by earlier iterations of the pest.
The infection still provides a number of personal page URLs that the user should visit to pay the ransom. The landing page called “Cerber Decryptor” informs the victim of the amount of Bitcoin to submit so that the automatic decrypt tool becomes available. The original size is 1 BTC. After the “grace period” of five days expires, the ransom will double. As before, there is a countdown showing how much time is left before this increase takes effect.
A noteworthy enhancement in this spinoff is a more sophisticated anti-VM technique that prevents security researchers from examining the ransomware code in an isolated environment. This is one of the multiple reasons why analysts haven’t succeeded in decrypting Cerber thus far.
The new ransom note reads, “Your documents, photos, databases and other important files have been encrypted by Cerber Ransomware 4.1.1.” The preliminary decryption tips on the scary wallpaper are reiterated in the contents of Readme.hta application that analysts and victims are already familiar with. Furthermore, it’s still impossible to work out what exactly has been encoded, because the Trojan completely scrambles filenames and transmutes them into random 10-character strings. The file extension tweaking principle hasn’t changed either: the offending code derives the new extension from the MachineGuid registry value, so it’s computer-specific.
Given the indication of Cerber version details in the ransom manual, the criminals may gave decided to step away from the paradigm where updates have to be big and infrequent. Instead, it’s likely that there will be a greater number of smaller, interim versions of the infection emerging fairly often henceforth.
The payload delivery method for Cerber Ransomware 4.1.5 is based on social engineering. The carrier is a ZIP email attachment with a fake invoice inside. When the recipient opens this Microsoft Word file for details, it turns out to be a protected document that doesn’t display any informative content. To make it readable, the user is prompted to click the “Enable Content” button on a yellow bar that reads “Security Warning”. This is a widespread trick that results in activating macros which, in their turn, serve as the medium for exploitation and execution of malicious code remotely.
Another characteristic of this spinoff that’s worth mentioning is that it harvests extensive information about victims and transmits these details over to its C2 servers. This feature suggests that the ransomware isn’t only an extortion tool but also a data mining entity. Identity theft is one of the likely adverse effects of this activity.
An alarming fact discovered about Cerber Ransomware 4.1.6 is that it targets a wider scope of database types on computers. This is a wakeup call for organizations that tend to leverage databases more heavily for their day-to-date operation than end users. Once an enterprise machine is infected, the malady proliferates across the corporate network and locks down the most critical information assets. A stronger focus on databases, of course, doesn’t make the new edition of Cerber any less dangerous for regular users.
The 5th generation of Cerber relies on the exploit kit called RIG-v for proliferation. This is a high-profile malware deployment tool that operates via a network of compromised sites and exploits software vulnerabilities to execute perpetrating code on computers. Unlike the RIG EK proper, this build of the kit is considered to be a “VIP” edition. It leverages the RC4 cryptosystem to obfuscate the ransomware loader and thereby keep security software from intercepting it.
The ransom is payable in Bitcoin via the Cerber Decryptor page, which is a Tor gateway that protects the criminals’ identities from being uncovered. The amount to submit is the BTC equivalent of 500 USD. The threat actors provide an option of deciphering 1 file free of charge. To avoid the necessity of paying up due to the Cerber 5.0.0 or 5.0.1 compromise, users should make sure their software, including Adobe Flash Player and Java, are up to date.
The updated sample of this perpetrating software goes with a new set of ransom notes. It leaves two files called _HELP_HELP_HELP_[random_8_characters].hta/jpg on the infected PC’s desktop as well as folders with hostage files. The HTA object denotes an HTML application which, when opened, allows for some customization. In particular, victims can select their preferred language. The recovery instructions have not changed as compared to the previous version. Victims are still expected to download and install Tor Browser in order to visit their personal decryption page. As before, the Cerber Decryptor service displays a ticking countdown timer to inform the user when the 7-day “grace” period expires, during which the ransom is relatively low. Of course, the Bitcoin address and the size of the ransom are still inalienable attributes provided on the recovery page.
Other than the color change and the new name of ransom manuals, the HELP_HELP_HELP threat is pretty much the same ol’ Cerber. Its cryptographic facet has not been modified. It interacts with the Command & Control server over UDP protocol. And it still scrambles filenames according to the old pattern, where the extension is a set of 4 hexadecimal characters derived from the plagued computer’s MachineGuid value.
Researchers associate the onset of different propagation vectors with the growing popularity of Cerber RaaS (Ransomware as a Service) platform, where unrelated cybercrime groups can try their hand at deploying this nasty malady. And yet, malicious ZIP files attached to spam emails invariably pose the main contamination mechanism.
The encryption facet of the ransomware underwent a significant change as well. Cerber 6 is leveraging the Cryptographic Application Programming Interface by Microsoft, also referred to as CryptoAPI. With this tweak in place, there is still no effective way to decrypt files ransomed by the infection. To top it off, the new edition of this pest has become more intelligent as far as detection and analysis of its code go. It goes equipped with anti-VM and anti-sandboxing modules that prevent security analysts from reversing the code. Furthermore, the payload execution delay feature and the use of Windows Firewall rules to terminate AV executables make Cerber version 6 yet more of a moving target for conventional detection mechanisms.
All in all, Cerber is still the most advanced ransomware strain in the online extortion ecosystem. Its newest variant is uncrackable and much harder to detect than its precursors. The crooks behind this ongoing campaign appear to be continuously experimenting with the encryption routine and AV evasion tricks to make sure their despicable product maintains the status quo of today’s top ransomware threat.
As far as the distribution of the CRBR Encryptor edition goes, the vectors thereof are a mix of sophistication and some old school stuff. Part of the attacks are attributed to MagnitudeEK, an exploit kit residing on numerous malicious or hacked websites. When a user visits one of these sites, the bad script checks their computer for known exploits and harnesses them to gain a foothold on the system.
The ransomware is also proliferating via malspam. The threat actors employ a botnet to send thousands of rogue emails with ZIP attachments. These emails may pretend to come from Microsoft Security Team, alerting the recipients on unusual sign-in activity. When the above-mentioned self-extracting ZIP archive is opened, a malicious JS component comes into play. It downloads the executable of CRBR Encryptor virus to the Temp path and runs it.
The Cerber Decryptor payment page has not changed. It states that the victim has 5 days to pay the ransom of 0.5 Bitcoin, and after the deadline expires the sum doubles. As before, this Tor page allows the infected user to decrypt 1 file for free.
Cerber continues to be in the game. Its authors keep applying new tactics to make their extortion tool one of the top ransomware threats. Although the CRBR Encryptor iteration doesn’t have much novelty under the hood, it is just as professionally tailored as all the previous editions.
Cerber has become an inalienable component of the contemporary ransomware ecosystem. It is currently one of the top crypto menaces in the wild, along with its direct competitor Locky. The four versions described above demonstrate that the RaaS affiliate platform behind Cerber is an evolving cybercrime environment updated regularly. While its creators are probably busy crafting a new, improved edition as of this writing, it’s highly recommended to focus on prevention. Do not double-click on suspicious email attachments, keep the Firewall enabled, use a dependable antimalware suite, and be sure to back up the data that you can’t afford to lose.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup.