New Cerber Ransomware Speaks to Victims

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

Dubbed Cerber, the threat appeared on the threat landscape about a week ago and is said to employ functionality typically found in ransomware. Cerber encrypts a victim’s files using AES-256 encryption, and encrypts the file’s name, and then adds the .CERBER extension to it. Cerber targets a wide array of file extensions, but avoids those named bootsect.bak, iconcache.db, thumbs.db, or wallet.dat, according Bleeping Computer’s Lawrence Abrams

Furthermore, as Abrams explains, the malware also files with full pathnames that include a specific set of strings. Similar to the Locky ransomware, the new malicious application scans all accessible network shares on the network, including unmapped Windows shares, and encrypts any data that is found on them.

At first run, the ransomware checks whether the computer is located in one of the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan, and terminates itself if it is. Otherwise, it installs itself in the AppData folder and names itself after a random Windows executable.

The ransomware also configures Windows to automatically boot into Safe Mode with Networking on the next reboot and also configures itself to automatically start when the user logs into Windows, to run as screensaver, and to execute itself once every minute. Each time it is executed, Cerber displays a fake system alert and begins a reboot process and continues displaying them until the reboot is performed.

Once the reboot is initiated, the computer boots into Safe Mode with Networking and, once the user logs in, it reboots again in normal mode. As soon as the second reboot is completed, the ransomware, which uses a JSON configuration file for its settings, executes itself and starts encrypting the victim’s files.

After encrypting files, the ransomware creates 3 ransom notes on the user’s desktop and in every folder that it has encrypted: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These are ransom notes that contain info on what happened to user’s data and links to the Tor decryption service where the user can pay a ransom and retrieve the decryptor.

Researchers also discovered that the # DECRYPT MY FILES #.vbs file contains VBScript, which causes the computer to “speak” to the victim. The file includes a message stating that the user’s files have been encrypted, and the message is repeated numerous times.

The ransom notes link to the decrypttozxybarc.onion Tor site named Cerber Decryptor, where users can make payments and retrieve the decryptor keys. The site is available in 12 languages, includes a captcha, and provides users with details on how to pay the ransom, the ransom amount (1.24 bitcoins or around $500), and that the ransom should be paid in 7 days, otherwise it will double.

For the time being there is no way to decrypt files for free, and affected users are advised to restore their files from a backup.

Also of importance is the fact that Cerber is currently offered as a service on a closed underground Russian forum. While details on how the malware is being distributed are not available at the moment, the fact that it is Ransomware as a Service, or RaaS, means that even cybercriminals without advanced computer skills can use it to attack users.