Cerber

[26th February 2018]

An article for HelpNet by Jeff Erramouspe (Spanning Cloud) on How to protect Office 365 data from ransomware attacks.

Not a technical article, but not bad advice, and I haven’t publicized a how-to article on ransomware for quite a while.

“Ransomware, in particular, has introduced significant risks for Office 365 users. Cerber ransomware, for example, targeted Office 365 and flooded end users’ inboxes with an Office document that invoked malware via macros, and the now infamous WannaCry attack was engineered to take advantage of a Microsoft vulnerability. And now we have an even more insidious ransomware strain with ShurL0ckr – designed to evade the built in malware protection on OneDrive and Google Drive.”

[22nd December 2017]

David Bisson for Tripwire: Two Romanians Charged with Hacking 65% of DC Surveillance Camera Computers – mentions campaigns re CBT-Locker as well as Cerber and Dharma.

[20th December 2017]

Bleeping Computer reports the arrest of five Romanian distributors of spam associated with the CTB-Locker and Cerber ransomware families: Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware

[18th August 2017]

Cybereason: Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.

Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.

A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.

A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.

Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.

David Harley

[8th August 2017]

• TrendLabs: Cerber Ransomware Evolves Again, Now Steals From Bitcoin Wallets
• Zeljka Zorz for HelpNet: New Cerber ransomware variant steals Bitcoin wallets, passwords

[4th August 2017]

David Bisson for Tripwire: Cerber Ransomware Now Capable of Stealing Bitcoin Wallet Files

[3rd August 2017]

Jérôme Segura for Malwarebytes: Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain. Magnitude ‘is mainly used to deliver the Cerber ransomware to specific countries in Asia.’ Interesting techniques.

The Merkle: Cerber Ransomware Rebrands to CRBR Encryptor (appears to be a rebranding rather than any sort of upgrade.

[4th May 2017]

Trend Micro: Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go)

[April 3rd 2017]

SC Magazine: Cerber for servers: Apache Struts2 campaign targets servers with ransomware. See also the Struts group article.

[March 28th 2017]

TrendLabs: Cerber Starts Evading Machine Learning – ‘…it is now using a new loader that appears to be designed to evade detection by machine learning solutions….This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection.’

[March 6th 2017]

Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.

[15th February 2017]

Trend Micro – CERBER Changes Course, Triple Checks for Security Software

David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?

See also notes on GoldenEye for a Cerber-like attack on HR departments (5th January 2017)

25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware

November 22nd 2016:

Trend Micro: Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

November 7th 2016:

Matthew Rosenquist, for McAfee: Cerber Ransomware Now Hunts for Databases

Commentary by Darren Pauli for The Register: Cerber ransomware menace now targeting databases – Why try to extract pennies from kiddies when there’s businesses to be bilked?

October 15th 2016

Trend Micro: Several Exploit Kits Now Deliver Cerber 4.0

October 5th 2016

Bleeping Computer reports on changes to Cerber in its new version: Cerber Ransomware switches to a Random Extension and Ends Database Processes

August 17th 2016

Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.

David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

Help Net Security: The inner workings of the Cerber ransomware campaign

July 18th 2016

FireEye: CERBER: ANALYZING A RANSOMWARE ATTACK METHODOLOGY TO ENABLE PROTECTION

29th June 2016

Avanan: Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus

SC Magazine commentary

The Register commentary: Ransomware scum target corporate Office 365 users in 0-day campaign – Spam flood tried to drop malicious macros in inboxes

Commentary from SANS

7th June 2016

David Bisson for Graham Cluley’s blog: Cerber, the ransomware which talks to you, continues to evolve – New Cerber ransomware variant generates new hashes every 15 seconds.

[25th May 2016] A version of Cerber that incorporates a DDoS bot:

• Help Net: Cybercriminals add DDoS component to ransomware payloads
• Invincea: Two Attacks for The Price Of One: Weaponized Document Delivers Ransomware and Potential DDoS Attack

Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”

Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem

[27th April 2016] JÉRÔME SEGURA describes for Malwarebytes how Malvertising On The Pirate Bay Drops Ransomware: specifically, Cerber delivered via the Magnitude exploit kit. Commentary by Darren Pauli for The Register: Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads – There is no honour among content thieves. Meanwhile, Team Cymru takes A Look Inside Cerber Ransomware.