Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Cerber Ransomware Speaks to Victims

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

Dubbed Cerber, the threat appeared on the threat landscape about a week ago and is said to employ functionality typically found in ransomware. Cerber encrypts a victim’s files using AES-256 encryption, and encrypts the file’s name, and then adds the .CERBER extension to it. Cerber targets a wide array of file extensions, but avoids those named bootsect.bak, iconcache.db, thumbs.db, or wallet.dat, according Bleeping Computer’s Lawrence Abrams

Furthermore, as Abrams explains, the malware also files with full pathnames that include a specific set of strings. Similar to the Locky ransomware, the new malicious application scans all accessible network shares on the network, including unmapped Windows shares, and encrypts any data that is found on them.

At first run, the ransomware checks whether the computer is located in one of the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan, and terminates itself if it is. Otherwise, it installs itself in the AppData folder and names itself after a random Windows executable.

The ransomware also configures Windows to automatically boot into Safe Mode with Networking on the next reboot and also configures itself to automatically start when the user logs into Windows, to run as screensaver, and to execute itself once every minute. Each time it is executed, Cerber displays a fake system alert and begins a reboot process and continues displaying them until the reboot is performed.

Once the reboot is initiated, the computer boots into Safe Mode with Networking and, once the user logs in, it reboots again in normal mode. As soon as the second reboot is completed, the ransomware, which uses a JSON configuration file for its settings, executes itself and starts encrypting the victim’s files.

After encrypting files, the ransomware creates 3 ransom notes on the user’s desktop and in every folder that it has encrypted: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These are ransom notes that contain info on what happened to user’s data and links to the Tor decryption service where the user can pay a ransom and retrieve the decryptor.

Researchers also discovered that the # DECRYPT MY FILES #.vbs file contains VBScript, which causes the computer to “speak” to the victim. The file includes a message stating that the user’s files have been encrypted, and the message is repeated numerous times.

The ransom notes link to the decrypttozxybarc.onion Tor site named Cerber Decryptor, where users can make payments and retrieve the decryptor keys. The site is available in 12 languages, includes a captcha, and provides users with details on how to pay the ransom, the ransom amount (1.24 bitcoins or around $500), and that the ransom should be paid in 7 days, otherwise it will double.

For the time being there is no way to decrypt files for free, and affected users are advised to restore their files from a backup.

Also of importance is the fact that Cerber is currently offered as a service on a closed underground Russian forum. While details on how the malware is being distributed are not available at the moment, the fact that it is Ransomware as a Service, or RaaS, means that even cybercriminals without advanced computer skills can use it to attack users.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.