Estimated reading time: 6 minutes
Cerber is a strain of ransomware that was first identified in early 2016. It is a type of malware that encrypts a victim’s files and demands a ransom for the decryption key needed to unlock the files. Cerber, like many other ransomware variants, typically targets individuals and organizations by encrypting their files and demanding a ransom payment (usually in cryptocurrencies like Bitcoin) for the decryption key.
Technical Analysis:
The Cerber ransomware main payload is a custom-packed sample, so the code is initially unreadable. After unpacking the sample, we found the actual payload 376165CCD556CD74658AFEA9F6F428F9. As shown in Fig 1.
Fig.1: Unpacking of Cerber
When the payload is executed, it checks for a specific mutex. If any of the mutexes are found to be present, the malware will stop its execution. This validation mechanism, involving mutex strings, is built into the ransomware code to prevent it from re-infecting the same machine.
Fig.2: Creating Mutex
Further, decrypt the data using CryptoAPI, which contains the following information:
- Blocklisted file extensions and folders
- Excluded country based on Language ID
- Targeted Extensions
- Base64 encrypted Public RSA key and Ransom Note in HTML format
- Ransom Note in TXT format
Fig.3: Decrypted data
The Ransomware decided to exclude several countries from the attack (Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan).
Fig.4: Excluded extensions, folders, and country codes
Then it traverses the decrypted data and uses its value for further encryption processes.
Fig.5: Traversing the data
Evasion Technique:
Cerber exhibits advanced capabilities by identifying and configuring Windows firewall rules to obstruct outbound traffic from the executable binaries of installed firewalls, antivirus, and anti-spyware products. This tactic aims to impede the communication and functionality of these security tools, potentially enhancing the ransomware’s ability to persist on the compromised system and evade detection. This sophisticated maneuver underscores the evolving nature of Cerber, posing a significant challenge for cybersecurity measures seeking to counteract its impact.
Fig.6: Disabling AV services
C2 Connection:
Cerber ransomware establishes connections to port 6893 on IPs specified by CIDR in the configuration. The communication packet initiation involves a hash prefixed with the Machine GUID (MD5_KEY). The packet concludes with parameters such as PARTNER_ID, OS details, IS_X64 (indicating whether the system is 64-bit), IS_ADMIN (reflecting administrative privileges), COUNT_FILES (the count of files on the system), STOP_REASON (reason for stopping), and STATUS (status information). This communication protocol serves as a method for exchanging data with the specified IPs, illustrating the ransomware’s sophisticated approach to interaction and control within the compromised system.
The communication packet starts with a hash consisting of the Machine GUID: {MD5_KEY} and ending with {PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}.
With Ip varying form ip”:[“93.107.12.0/27″,”95.1.200.0/27″,”87.98.176.0/22”]
Fig.7: C2 connection
Encryption:
It drops two files containing the RSA key, which is further used for the Encryption process.
Fig.8: Adding part of the key in the tmp file
Fig.9: Adding part of the key in the tmp file
Fig.10: Use of Crypto API
It implements RSA and RC4 algorithms in its encryption routine and uses CryptoAPI – a separate function that reads and skips the first 1800 bytes and encrypts the rest of the content, and writes back to the file – as mentioned in Fig 12.
Following the encryption process, the ransomware appends a “.a769” extension and renames the file with a randomly generated string with pattern [0-9a-zA-Z_-]{10}. The figure below illustrates the files that have undergone this encryption and changes in file names and extensions.
Fig.11: Encrypted files
Fig.12: Skipping 1800 bytes from the header
Ransom notes:
It drops the ransom notes in the folders with the encrypted files with the name “__R_E_A_D__T_H_I_S__.html” and TXT form. In this ransom note, the threat actors (TAs) instruct the victims to contact them via their TOR website. Furthermore, the TAs issue a warning that if the victims fail to contact within 30 days following the ransomware attack, they will disclose the victims’ confidential data on public news outlets and websites.
Fig.13: Dropped Ransom Note in TXT format
Fig.14: Dropped Ransom Note in HTML file
Fig.15: Changed desktop wallpaper
Post Encryption:
Following infection, the ransomware employs the ShellExecuteA() API function with specific arguments to eliminate its own file from the compromised system. Through this action, the malware orchestrates the removal of its executable, leaving behind solely the encrypted files and the accompanying ransom note. This deliberate self-deletion mechanism indicates an attempt by the ransomware to conceal its presence, complicating post-infection analysis and removal efforts while ensuring the persistence of the encrypted files and the associated ransom demand.
Fig.16: Self-delete using ShellExecuteA function
Precaution of Cerber Ransomware
Cerber Ransomware is a type of malware that encrypts a victim’s files and demands a ransom for the decryption key. To protect yourself and your computer systems from Cerber Ransomware, or ransomware in general, it is essential to take various precautions. Here are a few measures you can take to minimize your risk:
Regularly Backup Your Data:
Back up your important data regularly to an external device or a cloud service. This way, if your files are encrypted, you won’t have to pay a ransom to recover them.
Keep Your Software Updated:
Ensure that your operating system and all software, including your antivirus program, are up to date. Ransomware often takes advantage of known vulnerabilities in outdated software.
Use Strong, Unique Passwords:
Use strong and complex passwords for all your accounts and devices. Consider using a reputable password manager to generate and store strong passwords.
Enable Two-Factor Authentication (2FA):
Enable 2FA whenever possible for your online accounts. This provides an extra layer of security, making it more difficult for attackers to access your accounts.
Exercise Caution with Email:
Be wary of email attachments and links, especially from unknown or unexpected sources. Ransomware can be delivered through phishing emails.
Install a Reliable Antivirus Program:
Install and regularly update a reputable antivirus or anti-malware software. Make sure it includes real-time scanning and ransomware protection features.
Use a Firewall:
A good firewall can help block incoming threats and reduce the likelihood of a malware infection.
Regularly Update and Patch:
Keep your system and software updated. Many ransomware attacks exploit vulnerabilities in outdated software, so patching these vulnerabilities is essential.
Network Security:
Implement network security measures, such as intrusion detection systems, and regularly audit network traffic for unusual activity.
Monitor for Suspicious Activity:
Keep an eye out for any unusual or suspicious activity on your computer or network, as early detection can help stop an infection from spreading.
Regularly Test Backups:
Periodically test your backups to ensure that they can be successfully restored.
SEQRITE Protection:
Ransom.Cerber.S443347
Ransom.Cerber.S126609
Ransom.Cerber.S22591
Ransom.Cerber.S1538045
Conclusion:
Cerber ransomware, first identified in 2016, represents a highly sophisticated threat with advanced evasion techniques. It can configure Windows firewall rules, exclude specific countries from attacks, and employ persistence on compromised systems. It combines RSA and RC4 algorithms in the encryption process and uses the self-deletion mechanism post-infection.
MITRE ATT&CK TTPs:
Command and Scripting Interpreter | T1059 |
Inhibit System Recovery | T1490 |
File and Directory Discovery | T1083 |
System Information Discovery | T1082 |
Data Encrypted for Impact | T1486 |
Service Stop | T1489 |
IOCs:
- FE1BC60A95B2C2D77CD5D232296A7FA4
- 376165CCD556CD74658AFEA9F6F428F9
Source: Original Post