The eloquent Cerber Ransomware
Gershwin | 10.05.2016 16:12
The underground ransomware industry is advancing at a rapid pace. It is targeting personal computers and organizations alike, encrypting data with algorithms that feature high entropy.
These campaigns rely on growingly sophisticated distribution vectors, including the use of vulnerable Microsoft Office macros, exploit kits and social engineering trickery. However, while it seemed that there couldn’t possibly be much more novelty in these attacks, the sample known as Cerber has introduced unique characteristics that really surprised the security community.
This crypto ransomware actually speaks to the infected users. To this end, it creates a VBScript version of ransom notes along with the more customary HTML and TXT editions. Once launched, the file named # Decrypt My Files #.vbs produces an audio output that explains what happened to the victim’s data and how to get it back. This isn’t a very complex feature from a technical perspective, but never before have users and experts encountered it.
The Cerber Ransomware has a hard-coded blacklist of countries that it doesn’t target. A few of these are Russia, Armenia, Georgia and Belarus. If the Trojan discovers that it has infected a user in one of these geographic locations, it discontinues the onslaught and uninstalls itself from the machine.
Once the initial scan of the hard drive and network shares has been completed, Cerber gets a list of files with popular extensions that are most likely important to the victim. The infection skips objects that are necessary for the system to operate in a stable way. Then, it encrypts every match using symmetric AES-256 cryptography and also encodes the filenames, concatenating the .cerber extension at the end.
The extortionists ask for 1.24 BTC for decryption. This is approximately $500. However, it’s not a good idea to accept these demands. Quite a few incidents have resulted in irreversible destruction of victims’ sensitive files even after they paid the ransom. Instead, users should try alternative mechanisms based on the use of the Previous Versions feature as well as automatic recovery utilities. Decryption guide: http://soft2secure.com/knowledgebase/decrypt-my-files-cerber
This crypto ransomware actually speaks to the infected users. To this end, it creates a VBScript version of ransom notes along with the more customary HTML and TXT editions. Once launched, the file named # Decrypt My Files #.vbs produces an audio output that explains what happened to the victim’s data and how to get it back. This isn’t a very complex feature from a technical perspective, but never before have users and experts encountered it.
The Cerber Ransomware has a hard-coded blacklist of countries that it doesn’t target. A few of these are Russia, Armenia, Georgia and Belarus. If the Trojan discovers that it has infected a user in one of these geographic locations, it discontinues the onslaught and uninstalls itself from the machine.
Once the initial scan of the hard drive and network shares has been completed, Cerber gets a list of files with popular extensions that are most likely important to the victim. The infection skips objects that are necessary for the system to operate in a stable way. Then, it encrypts every match using symmetric AES-256 cryptography and also encodes the filenames, concatenating the .cerber extension at the end.
The extortionists ask for 1.24 BTC for decryption. This is approximately $500. However, it’s not a good idea to accept these demands. Quite a few incidents have resulted in irreversible destruction of victims’ sensitive files even after they paid the ransom. Instead, users should try alternative mechanisms based on the use of the Previous Versions feature as well as automatic recovery utilities. Decryption guide: http://soft2secure.com/knowledgebase/decrypt-my-files-cerber
Gershwin