Cerber ransomware analysis
Aliases: Win32/Filecoder.Cerber.B (ESET-NOD32); Ransom.Cerber (Malwarebytes); Ransom:Win32/Cerber (Microsoft); Win-Trojan/Cerber.Gen (AhnLab-V3); RANSOM_CERBER(Trend Micro)
Cerber is one of the most widely spread ransomware families, consisting of many different variants, most of them still active to date. Its damage capabilities are extensive, targeting files and databases, and its reach is wide, as this family is part of the most important ransomware-as-a-service platforms.
This Cerber ransomware analysis is based on a representative, specific ransomware variant (having the hash value specified in the corresponding section below). There are other variants that behave similarly, but the details may differ to various extents.
Archive content: Java script (.js extension)
Hash of java script: 5cfc3401a4afe037fc5d43e1ca801d44152509bfb3ba6ca5d0ad32cab73e75f8 – Virustotal report
Payload download URL: h..p://www.caloploerd.top/admin.php?f=1
- Reads the cryptographic machine data from the registry
- Reads user identification data from the registry
- Opens cmd and launches the downloaded payload
Network communications – HTTP headers
Successful payload download
Registry changes to Internet Explorer settings
Modified desktop background
File name: mtr98ho8c.exe;
File size: 603 KB;
- Reads network and environment data, cryptography data, user’s data, computer’s data etc. for identification purposes;
- Connects to several external servers on UDP port 6893 and sends encrypted information;
- Saves some encrypted data to disk;
- Searches for files and folder to attack, starting with recently opened files;
- Starts the encryption process;
- Opens the ransom note;
- Launches a command line, executes taskkill and terminates itself;
- Hides or removes the original payload executable file.
File attack pattern
- Modifies the attributes of the target file (to make sure that the encrypting process can operate on it);
- Reads the file;
- Encrypts the data in memory;
- Overwrites the original data with the encrypted data;
- Renames the original file and includes the specific extension (it does not keep the original file name, nor the original extension);
- Creates ransom notes in each attacked folders;
Cerber ransomware is powerful malware that renders data unreadable and demands ransom for its recovery. TEMASOFT Ranstop offers protection against it and other ransomware, including new and zero-day variants.
Find out more about how protect against Cerber and other ransomware or get a free trial of our anti-ransomware technology.