Cerber ransomware

Cerber ransomware analysis

Aliases: Win32/Filecoder.Cerber.B (ESET-NOD32); Ransom.Cerber (Malwarebytes); Ransom:Win32/Cerber (Microsoft); Win-Trojan/Cerber.Gen (AhnLab-V3); RANSOM_CERBER(Trend Micro)

Overview

Cerber is one of the most widely spread ransomware families, consisting of many different variants, most of them still active to date. Its damage capabilities are extensive, targeting files and databases, and its reach is wide, as this family is part of the most important ransomware-as-a-service platforms.

This Cerber ransomware analysis is based on a representative, specific ransomware variant (having the hash value specified in the corresponding section below). There are other variants that behave similarly, but the details may differ to various extents.

The ransomware spreads via email with a javascript attachment. When executed, the script connects to the internet and downloads the payload that performs the actual encryption process. The payload attacks the files and changes the desktop picture to a ransom note. It creates a ransom note in every folder successfully attacked.

Email attachment

Type: zip
Archive content: Java script (.js extension)
Hash of java script: 5cfc3401a4afe037fc5d43e1ca801d44152509bfb3ba6ca5d0ad32cab73e75f8 – Virustotal report
Payload download URL: h..p://www.caloploerd.top/admin.php?f=1

Attachment actions

• Upon execution, the javascript connects to a server and downloads the payload
• Reads the cryptographic machine data from the registry
• Reads user identification data from the registry
• Opens cmd and launches the downloaded payload

Network communications – HTTP headers

HTTP headers

Successful payload download

Successful payload download (cached):

Registry changes to Internet Explorer settings

Registry changes to Internet Explorer settings

Modified desktop background

Modified desktop image

Payload details

File name: mtr98ho8c.exe;

File size: 603 KB;

Hash: 24D829C336777A0DAC903D3860B694984C0CC88DCCB85CA56B128647F156F510.

Actions

1. Reads network and environment data, cryptography data, user’s data, computer’s data etc. for identification purposes;
2. Connects to several external servers on UDP port 6893 and sends encrypted information;
3. Saves some encrypted data to disk;
4. Searches for files and folder to attack, starting with recently opened files;
5. Starts the encryption process;
6. Opens the ransom note;
7. Launches a command line, executes taskkill and terminates itself;
8. Hides or removes the original payload executable file.

File attack pattern

• Modifies the attributes of the target file (to make sure that the encrypting process can operate on it);
• Reads the file;
• Encrypts the data in memory;
• Overwrites the original data with the encrypted data;
• Renames the original file and includes the specific extension (it does not keep the original file name, nor the original extension);
• Creates ransom notes in each attacked folders;

Ransome note example

Ransom note example

Conclusion

Cerber ransomware is powerful malware that renders data unreadable and demands ransom for its recovery. TEMASOFT Ranstop offers protection against it and other ransomware, including new and zero-day variants.

Find out more about how protect against Cerber and other ransomware or get a free trial of our anti-ransomware technology.