Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Cerber
Aliases: Troj/Ransom-CJM (Sophos) Trojan.Cryptolocker.AH (Symantec)
Summary
Windows Defender detects and removes this threat.
This ransomware can stop you from using your PC or accessing your data.
It is a member of the ransomware-as-a-service category of ransomware, and spreads through email, exploit-kits, and other drive-by downloads. As of September, 2016, we have seen this threat use Exploit:HTML/Pangimop (Magnitude) and Exploit:HTML/Meadgive (Rig) exploit kits in its campaign in the Asian region (Taiwan and South Korea). We have also seen it distributed in email attachments that contain script-based downloaders, such as those written in javascript (.js), Office VBA (Word documents such as .doc and .rtf), and Windows Scripting File (.wsf). As of October 2016, we have seen Cerber delivered through password-protected email attachments, along with other threats.
It might ask you to pay money (in the form of bitcoins) to a malicious hacker. It can play a text-to-speech or synthesized recording, show a web page, or a plain text document.
Our ransomware FAQ page has more information on this type of threat.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.
Read our latest report: A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017.
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files.
If you've already paid, see our ransomware page for help on what to do now.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
To check if it's running, go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.
Get more help
You can also see our advanced troubleshooting page for more help or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
We have seen this ransomware use the following names for its executable and shortcut files:
- cerber
- encrypted
- <existing file>.exe for example fontdrvhost.exe, wisptis.exe
Where <existing file> is taken from a legitimate or "clean" application in the <system folder> and a timestamp from<system folder>\kernel32.dll.
It drops a copy of its executable file into a randomly named folder in %APPDATA%, for example:
- %APPDATA% \{b9624424-31e6-a7fd-21e6-3698086a28f5}\fontdrvhost.exe
The threat creates a shortcut link in the <startup folder> to the malware executable so it runs each time you start your PC.
It uses the same name as the executable's name, for example:
- <startup folder> \fontdrvhost.lnk
It also modifies the following registry keys so the ransomware runs whenever you start or restart your PC:
- In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware filename>", for example "fontdrvhost"
With data: "<file path to malware executable>", for example%APPDATA%\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe
- In subkey: HKcU\Administrator\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<malware filename>", for example "fontdrvhost"
With data: "<file path to malware executable>"
- In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: "<file path to malware executable>"
- In subkey: HKCU\Administrator\Software\Microsoft\Command Processor
Sets value: "AutoRun"
With data: "<file path to malware executable>"
- In subkey: HKCU\Control Panel\Desktop
Sets value: "Scrnsave.exe"
With data: "<file path to malware executable>"
The malware can also inject its code into clean processes and it might stop or close antimalware software.
Payload
Encrypts your files
This ransomware encrypts files of a certain type using both the RC4 and RSA algorithms.
It also deletes shadow or backup copies of files by running the command:
- <system folder> \vssadmin.exe delete shadows /all /quiet
It doesn't encrypt files and folders in the following list:
- :\$recycle.bin\
- :\$windows.~bt\
- :\boot\
- :\documents and settings\all users\
- :\documents and settings\default user\
- :\documents and settings\localservice\
- :\documents and settings\networkservice\
- :\program files (x86)\
- :\program files\
- :\programdata\
- :\recovery\
- :\recycler\
- :\users\all users\
- :\windows.old\
- :\windows\
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\adobe\flash player\
- \appData\roaming\apple computer\safari\
- \appdata\roaming\ati\
- \appdata\roaming\google\
- \appdata\roaming\intel corporation\
- \appdata\roaming\intel\
- \appdata\roaming\macromedia\flash player\
- \appdata\roaming\microsoft\internet explorer\
- \appdata\roaming\microsoft\windows\
- \appdata\roaming\mozilla\
- \appdata\roaming\nvidia\
- \appdata\roaming\opera software\
- \appdata\roaming\opera\
- \application data\microsoft\
- \local settings\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\ - this will be where you choose to install the Tor browser to
- bootsect.bak
- iconcache.db
- ntuser.dat
- thumbs.db
Files in all other folders on fixed, removable, and RAMdisks, however, will be encrypted if the files are larger than 1KB and have the following extensions:
|
|
|
|
|
|
The threat will not infect files on machines that have the following default system language:
- LANG_RUSSIAN
- LANG_UKRAINIAN
- LANG_BELARUSIAN
- LANG_TAJIK
- LANG_ARMENIAN
- SUBLANG_AZERI_LATIN
- LANG_GEORGIAN
- LANG_KAZAK
- LANG_KYRGYZ
- LANG_TURKMEN
- SUBLANG_UZBEK_LATIN
- LANG_TATAR (Russia)
- LANG_AZERI (Azerbaijan, Cyrillic)
- LANG_UZBEK (Uzbekistan, Cyrillic)
After the files are encrypted, the ransomware renames the files to 10 random characters and replaces the file extension with cerber, cerber2, or cerber3, for example:
- file.png is renamed to [5kdAaBbL3d].cerber
It creates the following files in each folder where it has encrypted files:
- # DECRYPT MY FILES #.HTML
- # DECRYPT MY FILES #.VBS
- # DECRYPT MY FILES #.TXT
The format of the file name for these files may change. We have also noticed the format # HELP DECRYPT #, and the use of a .url file instead of a .vbs file.
If present, the .vbs file will be run by the threat. It is a VB script that calls the Windows text-to-speech "API SpVoice" to read the following text:
- Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!
The script contains the following code:
If the API cannot call text-to-speech software, you might see the following pop up with error code 0x8004503A.
The ransomware shows a ransom note as an HTML page in your web browser similar to the following:
The threat can also open the plain text file (# DECRYPT MY FILES #.TXT) with the same information, as follows:
The text of the notes both explain that your documents, photos, and other files have been encrypted.
The plain text file and HTML page instruct you to download the Tor browser and give you a link you must open in the Tor browser.
The site you are directed to asks you to choose your language and provides a list of images of flags and languages to choose from.
You will also be asked to enter a CAPTCHA verification code to proceed on the website:
The site then shows a page that explains how to recover your files. You are told you must pay a ransom in Bitcoins to a specified Bitcoin address. The page includes instructions on how to buy Bitcoins and how to transfer them to the address.
Starting with version 4.0, Cerber uses pseudo-random file name extensions derived from your MachineGuid in its encryption routine.
Connects to a remote host
We have seen this malware connect to a remote host. It will report encryption status information, including the following data:
- Operating system
- 64-bit processor
- If the user has administrator privileges
- Number of files encrypted
- Reason why the encryption was stopped (for example, the machine was in the list of languages that are not encrypted)
It might use Tor, or a server such as the following:
- 87.98.<obfuscated>.0/19 using port 6891
- 31.184.<obfuscated>.0/23 using port 6892
Some information was gathered from analysis of the following files (SHA1s):
- 193f407a2f0c7e1eaa65c54cd9115c418881de42
- C60AB834453E6C1865EA2A06E4C19EA83982C1F9
- E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2
- 40cbc4a9481b946cc821d4f7543519e2507a052b
Cerber ransomware behavior updates as of October 3, 2016
The new Cerber variant released a different behavior configuration data.
It generates encrypted file name extension using pseudo-random format "[0-9a-zA-Z_-]{10}.<hex>{4} ". For example: azt2geee7i.9797
The configuration contains mostly a list of the following database-related processes that Cerber terminates to successfully encrypt files:
- "msftesql.exe",
- "sqlagent.exe",
- "sqlbrowser.exe",
- "sqlservr.exe",
- "sqlwriter.exe",
- "oracle.exe",
- "ocssd.exe",
- "dbsnmp.exe",
- "synctime.exe",
- "mydesktopqos.exe",
- "agntsvc.exeisqlplussvc.exe",
- "xfssvccon.exe",
- "mydesktopservice.exe",
- "ocautoupds.exe",
- "agntsvc.exeagntsvc.exe",
- "agntsvc.exeencsvc.exe",
- "firefoxconfig.exe",
- "tbirdconfig.exe",
- "ocomm.exe",
- "mysqld.exe",
- "mysqld-nt.exe",
- "mysqld-opt.exe",
- "dbeng50.exe",
- "sqbcoreservice.exe",
The decryption instruction comes in as a readme.hta file (see screenshots below) which asks for a payment of 0.8595 Bitcoins ($524). It increases to 1.79 Bitcoins ($1049) after five days.
Cerber ransomware behavior updates as of December 13, 2016
The latest version of Cerber can be installed by malicious attachments in spam email or downloaded by Rig exploit kit. Read more about these ransomware campaigns on the Micrsoft Malware Protection Center blog: No slowdown in Cerber ransomware activity as 2016 draws to a close.
We noted some changes in the configuration and behavior in this version:
More than 50 file name extensions are added to its file encryption routine, bringing the total number of file types to 493:
.123 |
.1cd |
.3dm |
.3ds |
.3fr |
.3g2 |
.3gp |
.3pr |
.602 |
.7z |
.7zip |
.aac |
.ab4 |
.abd |
.acc |
.accdb |
.accde |
.accdr |
.accdt |
.ach |
.acr |
.act |
.adb |
.adp |
.ads |
.aes |
.agdl |
.ai |
.aiff |
.ait |
.al |
.aoi |
.apj |
.apk |
.arc |
.arw |
.ascx |
.asf |
.asm |
.asp |
.aspx |
.asset |
.asx |
.atb |
.avi |
.awg |
.back |
.backup |
.backupdb |
.bak |
.bank |
.bat |
.bay |
.bdb |
.bgt |
.bik |
.bin |
.bkp |
.blend |
.bmp |
.bpw |
.brd |
.bsa |
.bz2 |
.c |
.cash |
.cdb |
.cdf |
.cdr |
.cdr3 |
.cdr4 |
.cdr5 |
.cdr6 |
.cdrw |
.cdx |
.ce1 |
.ce2 |
.cer |
.cfg |
.cfn |
.cgm |
.cib |
.class |
.cls |
.cmd |
.cmt |
.config |
.contact |
.cpi |
.cpp |
.cr2 |
.craw |
.crt |
.crw |
.cry |
.cs |
.csh |
.csl |
.csr |
.css |
.csv |
.d3dbsp |
.dac |
.das |
.dat |
.db |
.db3 |
.db_journal |
.dbf |
.dbx |
.dc2 |
.dch |
.dcr |
.dcs |
.ddd |
.ddoc |
.ddrw |
.dds |
.def |
.der |
.des |
.design |
.dgc |
.dgn |
.dif |
.dip |
.dit |
.djv |
.djvu |
.dng |
.doc |
.docb |
.docm |
.docx |
.dot |
.dotm |
.dotx |
.drf |
.drw |
.dtd |
.dwg |
.dxb |
.dxf |
.dxg |
.edb |
.eml |
.eps |
.erbsql |
.erf |
.exf |
.fdb |
.ffd |
.fff |
.fh |
.fhd |
.fla |
.flac |
.flb |
.flf |
.flv |
.forge |
.fpx |
.frm |
.fxg |
.gbr |
.gho |
.gif |
.gpg |
.gray |
.grey |
.groups |
.gry |
.gz |
.h |
.hbk |
.hdd |
.hpp |
.html |
.hwp |
.ibank |
.ibd |
.ibz |
.idx |
.iif |
.iiq |
.incpas |
.indd |
.info |
.info_ |
.iwi |
.jar |
.java |
.jnt |
.jpe |
.jpeg |
.jpg |
.js |
.json |
.k2p |
.kc2 |
.kdbx |
.kdc |
.key |
.kpdx |
.kwm |
.laccdb |
.lay |
.lay6 |
.lbf |
.lck |
.ldf |
.lit |
.litemod |
.litesql |
.lock |
.ltx |
.lua |
.m |
.m2ts |
.m3u |
.m4a |
.m4p |
.m4u |
.m4v |
.ma |
.mab |
.mapimail |
.max |
.mbx |
.md |
.mdb |
.mdc |
.mdf |
.mef |
.mfw |
.mid |
.mkv |
.mlb |
.mml |
.mmw |
.mny |
.money |
.moneywell |
.mos |
.mov |
.mp3 |
.mp4 |
.mpeg |
.mpg |
.mrw |
.ms11 |
.msf |
.msg |
.mts |
.myd |
.myi |
.nd |
.ndd |
.ndf |
.nef |
.nk2 |
.nop |
.nrw |
.ns2 |
.ns3 |
.ns4 |
.nsd |
.nsf |
.nsg |
.nsh |
.nvram |
.nwb |
.nx2 |
.nxl |
.nyf |
.oab |
.obj |
.odb |
.odc |
.odf |
.odg |
.odm |
.odp |
.ods |
.odt |
.ogg |
.oil |
.omg |
.one |
.onenotec2 |
.orf |
.ost |
.otg |
.oth |
.otp |
.ots |
.ott |
.p12 |
.p7b |
.p7c |
.pab |
.pages |
.paq |
.pas |
.pat |
.pbf |
.pcd |
.pct |
.pdb |
.pdd |
|
.pef |
.pem |
.pfx |
.php |
.pif |
.pl |
.plc |
.plus_muhd |
.pm! |
.pm |
.pmi |
.pmj |
.pml |
.pmm |
.pmo |
.pmr |
.pnc |
.pnd |
.png |
.pnx |
.pot |
.potm |
.potx |
.ppam |
.pps |
.ppsm |
.ppsx |
.ppt |
.pptm |
.pptx |
.prf |
.private |
.ps |
.psafe3 |
.psd |
.pspimage |
.pst |
.ptx |
.pub |
.pwm |
.py |
.qba |
.qbb |
.qbm |
.qbr |
.qbw |
.qbx |
.qby |
.qcow |
.qcow2 |
.qed |
.qtb |
.r3d |
.raf |
.rar |
.rat |
.raw |
.rb |
.rdb |
.re4 |
.rm |
.rtf |
.rvt |
.rw2 |
.rwl |
.rwz |
.s3db |
.safe |
.sas7bdat |
.sav |
.save |
.say |
.sch |
.sd0 |
.sda |
.sdb |
.sdf |
.secret |
.sh |
.sldm |
.sldx |
.slk |
.slm |
.sql |
.sqlite |
.sqlite-shm |
.sqlite-wal |
.sqlite3 |
.sqlitedb |
.sr2 |
.srb |
.srf |
.srs |
.srt |
.srw |
.st4 |
.st5 |
.st6 |
.st7 |
.st8 |
.stc |
.std |
.sti |
.stl |
.stm |
.stw |
.stx |
.svg |
.swf |
.sxc |
.sxd |
.sxg |
.sxi |
.sxm |
.sxw |
.tar |
.tax |
.tbb |
.tbk |
.tbn |
.tex |
.tga |
.tgz |
.thm |
.tif |
.tiff |
.tlg |
.tlx |
.txt |
.uop |
.uot |
.upk |
.usr |
.vb |
.vbox |
.vbs |
.vdi |
.vhd |
.vhdx |
.vmdk |
.vmsd |
.vmx |
.vmxf |
.vob |
.vpd |
.vsd |
.wab |
.wad |
.wallet |
.war |
.wav |
.wb2 |
.wk1 |
.wks |
.wma |
.wmf |
.wmv |
.wpd |
.wps |
.x11 |
.x3f |
.xis |
.xla |
.xlam |
.xlc |
.xlk |
.xlm |
.xlr |
.xls |
.xlsb |
.xlsm |
.xlsx |
.xlt |
.xltm |
.xltx |
.xlw |
.xml |
.xps |
.xxx |
.ycbcra |
.yuv |
.zip |
|
|
|
|
|
However, new to this version is a list of file name extensions exempted from encrypted:
- .bat
- .cmd
- .com
- .cpl
- .dll
- .exe
- .hta
- .msc
- .msi
- .msp
- .pif
- .scf
- .scr
- .sys
It prioritizes the following updated list of folders when searching for files to encrypt:
- \bitcoin\
- \excel\
- \microsoft sql server\
- \microsoft\excel\
- \microsoft\microsoft sql server\
- \microsoft\office\
- \microsoft\onenote\
- \microsoft\outlook\
- \microsoft\powerpoint\
- \microsoft\word\
- \office\
- \onenote\
- \outlook\
- \powerpoint\
- \steam\
- \the bat!\
- \thunderbird\
- \word\
But it adds a few more folders to its list of exemptions:
- \$getcurrent\ (new)
- \$recycle.bin\ (new)
- \$windows.~bt\
- \$windows.~ws\ (new)
- \boot\
- \documents and settings\all users\
- \documents and settings\default user\
- \documents and settings\localservice\
- \documents and settings\networkservice\
- \intel\ (new)
- \msocache\ (new)
- \perflogs\ (new)
- \program files (x86)\
- \program files\
- \programdata\
- \recovery\ (new)
- \recycled\ (new)
- \recycler\ (new)
- \system volume information\ (new)
- \temp\ (new)
- \users\all users\
- \windows.old\
- \windows10upgrade\ (new)
- \windows\
- \winnt\ (new)
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\ (made more generic)
- \local settings\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\
It drops the ransom note, which contains instruction for decryption, as _README_{RAND}_.hta; for example, _README_2Rg927_.hta.
It also uses two new sets of C&C servers:
|
|
The new Cerber version also arrivew with a wallpaper that is noticeably modified from previous versions’ green palette to red:
Analysis by Carmen Liang and Rodel Finones
Prevention
The following can indicate that you have this threat on your PC:
- Your files have random names and the extension .cerber, .cerber2, or .cerber3 and you can't open them
- You see folders or files with these names:
- cerber
- encrypted
- fontdrvhost
- vssadmin
-
wisptis
- You see a webpage or text document with information similar to the following:
- You see these entries or keys in your registry:
- In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware filename>", for example "cerber"
With data: "<file path to malware executable>", for example%APPDATA%\Roaming\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe
- In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: "<file path to malware executable>"
- In subkey: HKU\Administrator\Software\Microsoft\Command Processor
Sets value: "AutoRun"
With data: "<file path to malware executable>"
- You see an error message similar to this whenever you start your PC: