SecurityHome.eu Ransom:Win32/Cerber

Home / malware PDF

Ransom:Win32/Cerber

First posted on 26 October 2016.
Source: Microsoft
Aliases :
There are no other names known for Ransom:Win32/Cerber.
Explanation :
Installation

We have seen this ransomware use the following names for its executable and shortcut files:

cerber

encrypted

.exe for example fontdrvhost.exe, wisptis.exe

Where is taken from a legitimate or "clean" application in the and a timestamp from\kernel32.dll.

It drops a copy of its executable file into a randomly named folder in %APPDATA%, for example:

%APPDATA% \{b9624424-31e6-a7fd-21e6-3698086a28f5}\fontdrvhost.exe

The threat creates a shortcut link in the to the malware executable so it runs each time you start your PC.

It uses the same name as the executable's name, for example:

\fontdrvhost.lnk

It also modifies the following registry keys so the ransomware runs whenever you start or restart your PC:

In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example "fontdrvhost"
With data: "", for example%APPDATA%\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe

In subkey: HKcU\Administrator\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "", for example "fontdrvhost"
With data: ""

In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: ""

In subkey: HKCU\Administrator\Software\Microsoft\Command Processor
Sets value: "AutoRun"
With data: ""

In subkey: HKCU\Control Panel\Desktop
Sets value: "Scrnsave.exe"
With data: ""

The malware can also inject its code into clean processes and it might stop or close antimalware software.

Payload

Encrypts your files

This ransomware encrypts files of a certain type using both the RC4 and RSA algorithms.

It also deletes shadow or backup copies of files by running the command:

\vssadmin.exe delete shadows /all /quiet

It doesn't encrypt files and folders in the following list:

:\$recycle.bin\

:\$windows.~bt\

:\boot\

:\documents and settings\all users\

:\documents and settings\default user\

:\documents and settings\localservice\

:\documents and settings\networkservice\

:\program files (x86)\

:\program files\

:\programdata\

:\recovery\

:\recycler\

:\users\all users\

:\windows.old\

:\windows\

\appdata\local\

\appdata\locallow\

\appdata\roaming\adobe\flash player\

\appData\roaming\apple computer\safari\

\appdata\roaming\ati\

\appdata\roaming\google\

\appdata\roaming\intel corporation\

\appdata\roaming\intel\

\appdata\roaming\macromedia\flash player\

\appdata\roaming\microsoft\internet explorer\

\appdata\roaming\microsoft\windows\

\appdata\roaming\mozilla\

\appdata\roaming\nvidia\

\appdata\roaming\opera software\

\appdata\roaming\opera\

\application data\microsoft\

\local settings\

\public\music\sample music\

\public\pictures\sample pictures\

\public\videos\sample videos\

\tor browser\ - this will be where you choose to install the Tor browser to

bootsect.bak

iconcache.db

ntuser.dat

thumbs.db

Files in all other folders on fixed, removable, and RAMdisks, however, will be encrypted if the files are larger than 1KB and have the following extensions:

.1cd

.3dm

.3ds

.3fr

.3g2

.3gp

.3pr

.7z

.7zip

.aac

.ab4

.abd

.acc

.accdb

.accde

.accdr

.accdt

.ach

.acr

.act

.adb

.adp

.ads

.agdl

.ai

.aiff

.ait

.al

.aoi

.apj

.apk

.arw

.ascx

.asf

.asm

.asp

.aspx

.asset

.asx

.atb

.avi

.awg

.back

.backup

.backupdb

.bak

.bank

.bay

.bdb

.bgt

.bik

.bin

.bkp

.blend

.bmp

.bpw

.bsa

.c

.cash

.cdb

.cdf

.cdr

.cdr3

.cdr4

.cdr5

.cdr6

.cdrw

.cdx

.ce1

.ce2

.cer

.cfg

.cfn

.cgm

.cib

.class

.cls

.cmt

.config

.contact

.cpi

.cpp

.cr2

.craw

.crt

.crw

.cry

.cs

.csh

.csl

.css

.csv

.d3dbsp

.dac

.das

.dat

.db

.db_journal

.db3

.dbf

.dbx

.dc2

.dcr

.dcs

.ddd

.ddoc

.ddrw

.dds

.def

.der

.des

.design

.dgc

.dgn

.dit

.djvu

.dng

.doc

.docm

.docx

.dot

.dotm

.dotx

.drf

.drw

.dtd

.dwg

.dxb

.dxf

.dxg

.edb

.eml

.eps

.erbsql

.erf

.exf

.fdb

.ffd

.fff

.fh

.fhd

.fla

.flac

.flb

.flf

.flv

.flvv

.forge

.fpx

.fxg

.gbr

.gho

.gif

.gray

.grey

.groups

.gry

.h

.hbk

.hdd

.hpp

.html

.ibank

.ibd

.ibz

.idx

.iif

.iiq

.incpas

.indd

.info

.info_

.iwi

.jar

.java

.jnt

.jpe

.jpeg

.jpg

.js

.json

.k2p

.kc2

.kdbx

.kdc

.key

.kpdx

.kwm

.laccdb

.lbf

.lck

.ldf

.lit

.litemod

.litesql

.lock

.ltx

.lua

.m

.m2ts

.m3u

.m4a

.m4p

.m4v

.ma

.mab

.mapimail

.max

.mbx

.md

.mdb

.mdc

.mdf

.mef

.mfw

.mid

.mkv

.mlb

.mmw

.mny

.money

.moneywell

.mos

.mov

.mp3

.mp4

.mpeg

.mpg

.mrw

.msf

.msg

.myd

.nd

.ndd

.ndf

.nef

.nk2

.nop

.nrw

.ns2

.ns3

.ns4

.nsd

.nsf

.nsg

.nsh

.nvram

.nwb

.nx2

.nxl

.nyf

.oab

.obj

.odb

.odc

.odf

.odg

.odm

.odp

.ods

.odt

.ogg

.oil

.omg

.one

.orf

.ost

.otg

.oth

.otp

.ots

.ott

.p12

.p7b

.p7c

.pab

.pages

.pas

.pat

.pbf

.pcd

.pct

.pdb

.pdd

.pdf

.pef

.pem

.pfx

.php

.pif

.pl

.plc

.plus_muhd

.pm

.pm!

.pmi

.pmj

.pml

.pmm

.pmo

.pmr

.pnc

.pnd

.png

.pnx

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.prf

.private

.ps

.psafe3

.psd

.pspimage

.pst

.ptx

.pub

.pwm

.py

.qba

.qbb

.qbm

.qbr

.qbw

.qbx

.qby

.qcow

.qcow2

.qed

.qtb

.r3d

.raf

.rar

.rat

.raw

.rdb

.re4

.rm

.rtf

.rvt

.rw2

.rwl

.rwz

.s3db

.safe

.sas7bdat

.sav

.save

.say

.sd0

.sda

.sdb

.sdf

.sh

.sldm

.sldx

.slm

.sql

.sqlite

.sqlite3

.sqlitedb

.sqlite-shm

.sqlite-wal

.sr2

.srb

.srf

.srs

.srt

.srw

.st4

.st5

.st6

.st7

.st8

.stc

.std

.sti

.stl

.stm

.stw

.stx

.svg

.swf

.sxc

.sxd

.sxg

.sxi

.sxm

.sxw

.tax

.tbb

.tbk

.tbn

.tex

.tga

.thm

.tif

.tiff

.tlg

.tlx

.txt

.upk

.usr

.vbox

.vdi

.vhd

.vhdx

.vmdk

.vmsd

.vmx

.vmxf

.vob

.vpd

.vsd

.wab

.wad

.wallet

.war

.wav

.wb2

.wma

.wmf

.wmv

.wpd

.wps

.x11

.x3f

.xis

.xla

.xlam

.xlk

.xlm

.xlr

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.xml

.xps

.xxx

.ycbcra

.yuv

.zip

The threat will not infect files on machines that have the following default system language:

LANG_RUSSIAN

LANG_UKRAINIAN

LANG_BELARUSIAN

LANG_TAJIK

LANG_ARMENIAN

SUBLANG_AZERI_LATIN

LANG_GEORGIAN

LANG_KAZAK

LANG_KYRGYZ

LANG_TURKMEN

SUBLANG_UZBEK_LATIN

LANG_TATAR (Russia)

LANG_AZERI (Azerbaijan, Cyrillic)

LANG_UZBEK (Uzbekistan, Cyrillic)

After the files are encrypted, the ransomware renames the files to 10 random characters and replaces the file extension with cerber, cerber2, or cerber3, for example:

file.png is renamed to [5kdAaBbL3d].cerber

It creates the following files in each folder where it has encrypted files:

# DECRYPT MY FILES #.HTML

# DECRYPT MY FILES #.VBS

# DECRYPT MY FILES #.TXT

The format of the file name for these files may change. We have also noticed the format # HELP DECRYPT #, and the use of a .url file instead of a .vbs file.

If present, the .vbs file will be run by the threat. It is a VB script that calls the Windows text-to-speech "API SpVoice" to read the following text:

Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

The script contains the following code:

If the API cannot call text-to-speech software, you might see the following pop up with error code 0x8004503A.

The ransomware shows a ransom note as an HTML page in your web browser similar to the following:

The threat can also open the plain text file (# DECRYPT MY FILES #.TXT) with the same information, as follows:

The text of the notes both explain that your documents, photos, and other files have been encrypted.

The plain text file and HTML page instruct you to download the Tor browser and give you a link you must open in the Tor browser.

The site you are directed to asks you to choose your language and provides a list of images of flags and languages to choose from.

You will also be asked to enter a CAPTCHA verification code to proceed on the website:

The site then shows a page that explains how to recover your files. You are told you must pay a ransom in Bitcoins to a specified Bitcoin address. The page includes instructions on how to buy Bitcoins and how to transfer them to the address.

Connects to a remote host

We have seen this malware connect to a remote host. It will report encryption status information, including the following data:

Operating system

64-bit processor

If the user has administrator privileges

Number of files encrypted

Reason why the encryption was stopped (for example, the machine was in the list of languages that are not encrypted)

It might use Tor, or a server such as the following:

87.98..0/19 using port 6891

31.184..0/23 using port 6892

Some information was gathered from analysis of the following files (SHA1s):

193f407a2f0c7e1eaa65c54cd9115c418881de42

C60AB834453E6C1865EA2A06E4C19EA83982C1F9

E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2

40cbc4a9481b946cc821d4f7543519e2507a052b

Cerber ransomware behavior updates as of October 3, 2016

The new Cerber variant released a different behavior configuration data.

It generates encrypted file name extension using pseudo-random format "[0-9a-zA-Z_-]{10}.{4} ". For example: azt2geee7i.9797

The configuration contains mostly a list of the following database-related processes that Cerber terminates to successfully encrypt files:

"msftesql.exe",

"sqlagent.exe",

"sqlbrowser.exe",

"sqlservr.exe",

"sqlwriter.exe",

"oracle.exe",

"ocssd.exe",

"dbsnmp.exe",

"synctime.exe",

"mydesktopqos.exe",

"agntsvc.exeisqlplussvc.exe",

"xfssvccon.exe",

"mydesktopservice.exe",

"ocautoupds.exe",

"agntsvc.exeagntsvc.exe",

"agntsvc.exeencsvc.exe",

"firefoxconfig.exe",

"tbirdconfig.exe",

"ocomm.exe",

"mysqld.exe",

"mysqld-nt.exe",

"mysqld-opt.exe",

"dbeng50.exe",

"sqbcoreservice.exe",

The decryption instruction comes in as a readme.hta file (see screenshots below) which asks for a payment of 0.8595 Bitcoins ($524). It increases to 1.79 Bitcoins ($1049) after five days.

Analysis by Carmen Liang and Rodel Finones
Last update 26 October 2016

TOP

Malware :

Last 20