Win32/Cerber

Installation

We have seen this ransomware use the following names for its executable and shortcut files:

• cerber
• encrypted
• <existing file>.exe for example fontdrvhost.exe,  wisptis.exe

Where <existing file> is taken from a legitimate or "clean" application in the <system folder> and a timestamp from<system folder>\kernel32.dll.

It drops a copy of its executable file into a randomly named folder in %APPDATA%, for example:

• %APPDATA% \{b9624424-31e6-a7fd-21e6-3698086a28f5}\fontdrvhost.exe

The threat creates a shortcut link in the <startup folder> to the malware executable so it runs each time you start your PC. 

It uses the same name as the executable's name, for example:

• <startup folder> \fontdrvhost.lnk

It also modifies the following registry keys so the ransomware runs whenever you start or restart your PC:

• In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "<malware filename>", for example "fontdrvhost"
  With data: "<file path to malware executable>", for example%APPDATA%\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe
   
• In subkey: HKcU\Administrator\Software\Microsoft\Windows\CurrentVersion\RunOnce
  Sets value: "<malware filename>", for example "fontdrvhost"
  With data: "<file path to malware executable>"
   
• In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  Sets value: "Run"
  With data: "<file path to malware executable>"
     
• In subkey: HKCU\Administrator\Software\Microsoft\Command Processor
  Sets value: "AutoRun"
  With data: "<file path to malware executable>"
   
• In subkey: HKCU\Control Panel\Desktop
  Sets value: "Scrnsave.exe"
  With data: "<file path to malware executable>"

The malware can also inject its code into clean processes and it might stop or close antimalware software.

Payload

Encrypts your files

This ransomware encrypts files of a certain type using both the RC4 and RSA algorithms.

It also deletes shadow or backup copies of files by running the command:

• <system folder> \vssadmin.exe  delete shadows /all /quiet

It doesn't encrypt files and folders in the following list: 

• :\$recycle.bin\
• :\$windows.~bt\
• :\boot\
• :\documents and settings\all users\
• :\documents and settings\default user\
• :\documents and settings\localservice\
• :\documents and settings\networkservice\
• :\program files (x86)\
• :\program files\
• :\programdata\
• :\recovery\
• :\recycler\
• :\users\all users\
• :\windows.old\
• :\windows\
• \appdata\local\
• \appdata\locallow\
• \appdata\roaming\adobe\flash player\
• \appData\roaming\apple computer\safari\
• \appdata\roaming\ati\
• \appdata\roaming\google\
• \appdata\roaming\intel corporation\
• \appdata\roaming\intel\
• \appdata\roaming\macromedia\flash player\
• \appdata\roaming\microsoft\internet explorer\
• \appdata\roaming\microsoft\windows\
• \appdata\roaming\mozilla\
• \appdata\roaming\nvidia\
• \appdata\roaming\opera software\
• \appdata\roaming\opera\
• \application data\microsoft\
• \local settings\
• \public\music\sample music\
• \public\pictures\sample pictures\
• \public\videos\sample videos\
• \tor browser\ - this will be where you choose to install the Tor browser to
• bootsect.bak
• iconcache.db
• ntuser.dat
• thumbs.db

Files in all other folders on fixed, removable, and RAMdisks, however, will be encrypted if the files are larger than 1KB and have the following extensions:

The threat will not infect files on machines that have the following default system language:

• LANG_RUSSIAN
• LANG_UKRAINIAN
• LANG_BELARUSIAN
• LANG_TAJIK
• LANG_ARMENIAN
• SUBLANG_AZERI_LATIN
• LANG_GEORGIAN
• LANG_KAZAK
• LANG_KYRGYZ
• LANG_TURKMEN
• SUBLANG_UZBEK_LATIN
• LANG_TATAR (Russia)
• LANG_AZERI (Azerbaijan, Cyrillic)
• LANG_UZBEK (Uzbekistan, Cyrillic)

After the files are encrypted, the ransomware renames the files to 10 random characters and replaces the file extension with cerber, cerber2, or cerber3, for example:

• file.png is renamed to [5kdAaBbL3d].cerber

It creates the following files in each folder where it has encrypted files:

• # DECRYPT MY FILES #.HTML
• # DECRYPT MY FILES #.VBS
• # DECRYPT MY FILES #.TXT

The format of the file name for these files may change. We have also noticed the format # HELP DECRYPT #, and the use of a .url file instead of a .vbs file.

If present, the .vbs file will be run by the threat. It is a VB script that calls the Windows text-to-speech "API SpVoice" to read the following text:  

• Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

The script contains the following code:

If the API cannot call text-to-speech software, you might see the following pop up with error code 0x8004503A.

The ransomware shows a ransom note as an HTML page  in your web browser similar to the following:

The threat can also open the plain text file (# DECRYPT MY FILES #.TXT) with the same information, as follows:

The text of the notes both explain that your documents, photos, and other files have been encrypted.

The plain text file and HTML page instruct you to download the Tor browser and give you a link you must open in the Tor browser.

The site you are directed to asks you to choose your language and provides a list of images of flags and languages to choose from.

 

You will also be asked to enter a CAPTCHA verification code to proceed on the website:

 

The site then shows a page that explains how to recover your files. You are told you must pay a ransom in Bitcoins to a specified Bitcoin address. The page includes instructions on how to buy Bitcoins and how to transfer them to the address.

Starting with version 4.0, Cerber uses pseudo-random file name extensions derived from your MachineGuid in its encryption routine.

Connects to a remote host

We have seen this malware connect to a remote host. It will report encryption status information, including the following data:

• Operating system
• 64-bit processor
• If the user has administrator privileges
• Number of files encrypted
• Reason why the encryption was stopped (for example, the machine was in the list of languages that are not encrypted)

It might use Tor, or a server such as the following:

• 87.98.<obfuscated>.0/19 using port 6891
• 31.184.<obfuscated>.0/23 using port 6892

Some information was gathered from analysis of the following files (SHA1s):

• 193f407a2f0c7e1eaa65c54cd9115c418881de42
• C60AB834453E6C1865EA2A06E4C19EA83982C1F9
• E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2
• 40cbc4a9481b946cc821d4f7543519e2507a052b

Cerber ransomware behavior updates as of October 3, 2016

The new Cerber variant released a different behavior configuration data.

It generates encrypted file name extension using pseudo-random format "[0-9a-zA-Z_-]{10}.<hex>{4} ".  For example: azt2geee7i.9797

The configuration contains mostly a list of the following database-related processes that Cerber terminates to successfully encrypt files:

• "msftesql.exe",
• "sqlagent.exe",
• "sqlbrowser.exe",
• "sqlservr.exe",
• "sqlwriter.exe",
• "oracle.exe",
• "ocssd.exe",
• "dbsnmp.exe",
• "synctime.exe",
• "mydesktopqos.exe",
• "agntsvc.exeisqlplussvc.exe",
• "xfssvccon.exe",
• "mydesktopservice.exe",
• "ocautoupds.exe",
• "agntsvc.exeagntsvc.exe",
• "agntsvc.exeencsvc.exe",
• "firefoxconfig.exe",
• "tbirdconfig.exe",
• "ocomm.exe",
• "mysqld.exe",
• "mysqld-nt.exe",
• "mysqld-opt.exe",
• "dbeng50.exe",
• "sqbcoreservice.exe",

The decryption instruction comes in as a readme.hta file (see screenshots below) which asks for a payment of 0.8595 Bitcoins ($524). It increases to 1.79 Bitcoins ($1049) after five days.

Cerber ransomware behavior updates as of December 13, 2016

The latest version of Cerber can be installed by malicious attachments in spam email or downloaded by Rig exploit kit. Read more about these ransomware campaigns on the Micrsoft Malware Protection Center blog: No slowdown in Cerber ransomware activity as 2016 draws to a close.

We noted some changes in the configuration and behavior in this version:

More than 50 file name extensions are added to its file encryption routine, bringing the total number of file types to 493:

However, new to this version is a list of file name extensions exempted from encrypted:

• .bat
• .cmd
• .com
• .cpl
• .dll
• .exe
• .hta
• .msc
• .msi
• .msp
• .pif
• .scf
• .scr
• .sys

It prioritizes the following updated list of folders when searching for files to encrypt:

• \bitcoin\
• \excel\
• \microsoft sql server\
• \microsoft\excel\
• \microsoft\microsoft sql server\
• \microsoft\office\
• \microsoft\onenote\
• \microsoft\outlook\
• \microsoft\powerpoint\
• \microsoft\word\
• \office\
• \onenote\
• \outlook\
• \powerpoint\
• \steam\
• \the bat!\
• \thunderbird\
• \word\

 But it adds a few more folders to its list of exemptions: 

• \$getcurrent\ (new)
• \$recycle.bin\ (new)
• \$windows.~bt\
• \$windows.~ws\ (new)
• \boot\
• \documents and settings\all users\
• \documents and settings\default user\
• \documents and settings\localservice\
• \documents and settings\networkservice\
• \intel\ (new)
• \msocache\ (new)
• \perflogs\ (new)
• \program files (x86)\
• \program files\
• \programdata\
• \recovery\ (new)
• \recycled\ (new)
• \recycler\ (new)
• \system volume information\ (new)
• \temp\ (new)
• \users\all users\
• \windows.old\
• \windows10upgrade\ (new)
• \windows\
• \winnt\ (new)
• \appdata\local\
• \appdata\locallow\
• \appdata\roaming\ (made more generic)
• \local settings\
• \public\music\sample music\
• \public\pictures\sample pictures\
• \public\videos\sample videos\
• \tor browser\

It drops the ransom note, which contains instruction for decryption, as _README_{RAND}_.hta; for example, _README_2Rg927_.hta.

It also uses two new sets of C&C servers:

17.1.32.0/27 78.15.15.0/27 194.165.16.0/22

37.15.20.0/27 77.1.12.0/27 91.239.24.0/23

The new Cerber version also arrivew with a wallpaper that is noticeably modified from previous versions’ green palette to red:

 

Analysis by Carmen Liang and Rodel Finones