Ransomware is one of the most dangerous threats to many industries and businesses nowadays. Ransomware attacks cause material losses amounting to millions of dollars per year worldwide, and this amount is growing year after year. There are different ransomware families, and Cerber ransomware is one of the most devastating.
This blog post covers Cerber ransomware, infection methods, the working principle, how to remove Cerber ransomware, and how to protect against Cerber. The typical behavior of Cerber is explained to help prevent and deal with this dangerous type of ransomware.
What is Cerber ransomware? Cerber is a type of ransomware that infects computers and encrypts files. Cybercriminals then demand victims pay ransom in bitcoins to receive a key that releases the files. However, there is no guarantee that a victim can get the data back after paying a ransom.
The first version of Cerber ransomware was created in 2016. In 2018, it seemed that Cerber attacks had stopped. But in 2020, Cerber came back, and new attacks were launched with updated versions of this ransomware.
Cerber ransomware uses the ransomware as a service (RaaS) model for distribution. Cerber is highly customizable ransomware. Ransomware attackers can become affiliates, use ransomware provided by Cerber developers, and split the ransom (pay about 40% of the received ransom money) to the Cerber developers. This approach allows cybercriminals to launch more attacks with less work.
The statistics on ransomware infections are staggering. More than 52 million attacks were launched in the first half of 2021. Both enterprises and individual users are being targeted. Organizations in diverse industries were targets of ransomware attacks with Cerber. No one is safe from Cerber ransomware.
Examples of how antivirus software detects Cerber:
Sophisticated techniques are used to infect computers and encrypt files. Let’s explain how victims are infected to understand infection vectors and how to protect against Cerber ransomware.
Spam, malvertising (malware-infected ads on websites), exploit kits, and exploitation of vulnerable websites are methods to infect computers. The main attack vector is spam and phishing emails sent to victims. An email message contains text that manipulates a victim and tricks them into opening an attached file. Attackers use social engineering to compose an email that seems legitimate, for example, an email from a bank, delivery service, etc. Usually, a Word document with malicious macros is attached to the email message. Microsoft Office Exploits can be used.
When a user opens the infected DOCX file, the macro in the document writes a piece of Visual Basic Script (VBScript) into memory and executes this script. The VBScript initiates running PowerShell in hidden mode and can bypass PowerShell execution policies. The command is executed in PowerShell for connecting to a malicious site and downloading the Cerber ransomware payload. If the connection is successful, then an executable Cerber file is downloaded to the computer and executed in PowerShell. There are Cerber versions that use JavaScript instead of VBScript.
The malware file hash can change every few seconds to a newer timestamp with appending data bytes to avoid being detected by using hash-based methods.
A double-zipped file, such as a self-extracting archive (SFX), with a malicious Windows Script File (WSF) is another variation of the attached file. A phishing email can contain an unsubscribe link that redirects to the same malicious Cerber file. The archive contains three files:
There are versions of Cerber ransomware with installers that contain a .ch file and .caz shellcode file with the code to decrypt the executable .ch file. In this case, Cerber uses Nullsoft Scriptable Install System to hide. Note that file names, file locations, configuration formats, and other parameters can change with the release of new versions of Cerber ransomware.
Wscript.exe is used to run the VBScript that executes a DLL export through rundll32.exe, which decrypts data from the X component and executes malicious code.
The X component is completely encrypted. The first encrypted part is loaded from X and is used to check techniques for reversing analysis and research of Cerber ransomware (anti-emulation and anti-debugging techniques). The second part of the X component is extracted and injected into Regasm.exe or WerFault.exe, where it is hidden. This second component checks for .NET Framework. If .NET Framework is found, Cerber checks the version of the framework and injects a malicious code. If .NET Framework is not found, Cerber injects code into WerFault.exe. Thus Cerber ransomware can infect both 32-bit and 64-bit Windows operating systems.
Cerber checks files and directories that can indicate that it’s running inside virtual machines (VMs) or sandbox environments to make researching more difficult for security experts.
In order to check whether Cerber ransomware is running on a VM, Cerber checks the registry key:
HKLM\SYSTEM\CurrentControlSet\Enum\PCI
Each subkey in this registry key represents a Peripheral Component Interconnect (PCI) device installed for the machine by using this format:
VEN_XXXX&DEV_XXXX&SUBSYS_XXXXXXXXX&REV_XX
VEN represents a Vendor ID, DEV represents a Device ID in the hexadecimal format (HEX). When hardware virtualization is used, hardware devices are emulated. Virtual devices use the appropriate Vendor IDs and Device IDs, depending on the hardware virtualization platform on which the VM is running.
If Cerber ransomware detects that Cerber is running in a VM, the ransomware terminates itself. However, you still need to regularly perform VM backup.
Cerber also tries to find the VMware substring that indicates that it’s running inside the VMware VM and strings pointing to the VMs of other vendors in the registry key:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Cerber ransomware is highly configurable. Lists and tags are defined as configuration parameters. A list of blacklisted countries in the JavaScript Object Notation (JSON) format is created to avoid infecting computers that are connected to the internet by using the IP addresses of these countries. Cerber identifies the country by checking the public IP address of the potential victim. The system keyboard layout is also checked to avoid infecting computers from the blacklisted countries.
The countries excluded from ransomware attacks in the Cerber configuration are Russia and some neighboring countries. Security researchers presume that Cerber creators were located in Russia and wanted to target developed countries to get more money from victims. An attack is avoided if Cerber detects that one of these keyboard layouts is installed as the system keyboard layout on a computer: 1049—Russian, 2115—Uzbek (Cyrillic), 2092—Azeri (Cyrillic), 1068—Azeri, (Latin), 2073—Russian (Moldova), 2072—Romanian (Moldova), 1091—Uzbek (Latin), 1090—Turkmen, 1088—Kyrgyz (Cyrillic), 1087—Kazakh, 1079—Georgian, 1067—Armenian, 1064—Tajik, 1059—Belarusian, 1058—Ukrainian.
Once executed, Cerber ransomware checks the directory from which the ransomware has been launched. If Cerber is not launched from %APPDATA%\<GUID>, then a copy of the Cerber file is created in the %APPDATA% directory of a user on a Windows machine. The file name is selected randomly by using one of the file names in the %WINDIR%\system32 directory for better masquerading.
Bypassing Windows protection and changing Windows configuration is another part of Cerber’s aggressive behavior. User Access Control (UAC) checks are bypassed. Cerber ransomware deletes Volume Shadow Copies to disable Windows restore options and disables safe boot options to avoid repairing Windows after infection.
Vssadmin.exe "delete shadows /all /quiet"
WMIC.exe "shadowcopy delete"
Bcdedit.exe "/set {default} recoveryenabled no"
Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures
Cerber performs multiple manipulations to make the configuration persistent, run encryption after reboot, and display notifications after finishing file encryption:
Connecting to external servers on UDP port 6893, sending encrypted information, and saving some received encrypted information to the disk is performed when preparing to encrypt files. At this time, Cerber ransomware can encrypt 294 file extensions. This number has significantly increased compared to the first version of Cerber.
AES-256 (RSA-2048) and RC4 encryption algorithms are used to encrypt files that are accessed from the infected computer. A 256-bit key is generated on the victim’s computer and then protected with a 2048-bit key. AES encryption is asymmetric – encryption and decryption keys are different. The encryption key is a public key and the decryption key is a private key. The decryption key is needed to decrypt the encrypted files, but the decryption key cannot be generated if the encryption key is available.
Cerber initiates killing processes that have opened files because the opened file is locked by an application using this file and ransomware cannot encrypt this file. Cerber attempts to close database software to encrypt database files. This ransomware can also close applications like Word, Excel, and others to encrypt documents that are opened. The list of the processes that can be killed is defined in the Cerber configuration with the close_process list tag.
Cerber encrypts accessible files (that have supported file extensions) including network disks and file shares. Encrypted files cannot be opened as usual if you rename file extensions.
Encrypted files have extensions like:
.cerber, .cerber2, .cerber3, .af47, .a48f, .ba99, .beef, or random characters. Random names make it more difficult to scan and find the files that were encrypted.
There is a known algorithm for how these random file extensions are generated. Cerber ransomware checks this registry entry before generating the extension that will be used for encrypted files:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
The format of MachineGuid is the following:
XXXXXXXX-YYYY-ZZZZ-AAAA-BBBBBBBBBBBB
Eight characters in the first part (XXXXXXXX in this example) are used to generate a directory name for Cerber in the %TEMP% folder.
Four characters in part 2 and part3 (YYYY, ZZZZ) are used to name Cerber component files.
Four characters in part 4 (AAAA) are used to name the extensions of the encrypted files.
System files of an operating system (OS) are not encrypted to allow OS to boot and display the ransom note.
Once the file encryption has finished, the desktop wallpaper is changed and additional ransom notes are added in .txt, .vbs, .hta, and .html files on the desktop and in other folders. Cerber ransomware kills itself (kills the task in CMD or PowerShell), and the original payload executable files are hidden or deleted after finishing encryption.
Examples of the note files:
README.hta
_READ_THIS_FILE.hta
# HELP DECRYPT#.html
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.html
HELP_HELP_HELP[random characters].hta
_R_E_A_D___T_H_I_S___[random]_.txt
_R_E_A_D___T_H_I_S___[random]_.hta
These notes contain a link to download the TOR browser, a link to the website on the dark web, where payment can be made, and instructions. The text notification can be accompanied by an audio message when opening the VBS file. Notes are provided in 12 languages including English, German, Spanish, French, Italian, Polish, Turkish, Dutch, Japanese, and Chinese.
Attackers demand the victim pay a ransom within 7 days. After 7 days have passed, the price is doubled. New versions of Cerber can add an infected computer to a botnet used for distributed denial of service (DDoS) attacks and other illegal activities. This tactic allows attackers to get an advantage even if the victim doesn’t pay the ransom.
If you see that a computer is infected with Cerber ransomware, take these actions:
In order to remove Cerber ransomware, follow these steps:
Unfortunately, removing Cerber ransomware doesn’t recover encrypted files. Try to perform these actions for file recovery:
It is recommended that you reinstall the OS that was infected with Cerber ransomware because the infected OS will not function properly. A better method is to recover a partition with the OS from a backup image.
The strategy for protecting against Cerber ransomware is similar to the general strategy of ransomware protection.
Cerber ransomware is extremely dangerous because this ransomware can corrupt most files on a computer. Knowing the behavior and working principles of Cerber can help you detect this ransomware. This blog post has covered Cerber ransomware and explained how Cerber works, how to remove Cerber ransomware, how to protect against Cerber attacks, and how to recover data if files were corrupted. The most effective methods to protect your files against ransomware are preventive measures. Use antivirus protection, patch vulnerabilities, educate users, configure user access to resources properly, and perform data backup regularly.