Cerber

[18th August 2017]

Cybereason: Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.

Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.

A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.

A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.

Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.

David Harley

[8th August 2017]

[4th August 2017]

David Bisson for Tripwire: Cerber Ransomware Now Capable of Stealing Bitcoin Wallet Files

[3rd August 2017]

 for Malwarebytes: Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain. Magnitude ‘is mainly used to deliver the Cerber ransomware to specific countries in Asia.’ Interesting techniques.

The Merkle: Cerber Ransomware Rebrands to CRBR Encryptor (appears to be a rebranding rather than any sort of upgrade.

[4th May 2017]

Trend Micro: Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go)

[April 3rd 2017]

SC Magazine: Cerber for servers: Apache Struts2 campaign targets servers with ransomware. See also the Struts group article.

[March 28th 2017]

TrendLabs: Cerber Starts Evading Machine Learning – ‘…it is now using a new loader that appears to be designed to evade detection by machine learning solutions….This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection.’

[March 6th 2017]

Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.

[15th February 2017]

Trend Micro – CERBER Changes Course, Triple Checks for Security Software

David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?

See also notes on GoldenEye for a Cerber-like attack on HR departments (5th January 2017)

25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware

November 22nd 2016:

Trend Micro: Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

November 7th 2016:

Matthew Rosenquist, for McAfee: Cerber Ransomware Now Hunts for Databases

Commentary by Darren Pauli for The Register: Cerber ransomware menace now targeting databases – Why try to extract pennies from kiddies when there’s businesses to be bilked?

October 15th 2016

Trend Micro: Several Exploit Kits Now Deliver Cerber 4.0

October 5th 2016

Bleeping Computer reports on changes to Cerber in its new version: Cerber Ransomware switches to a Random Extension and Ends Database Processes

August 17th 2016

Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.

David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

Help Net Security: The inner workings of the Cerber ransomware campaign

July 18th 2016

FireEye: CERBER: ANALYZING A RANSOMWARE ATTACK METHODOLOGY TO ENABLE PROTECTION

29th June 2016

Avanan: Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus

SC Magazine commentary

The Register commentary: Ransomware scum target corporate Office 365 users in 0-day campaign – Spam flood tried to drop malicious macros in inboxes

Commentary from SANS

7th June 2016

David Bisson for Graham Cluley’s blog: Cerber, the ransomware which talks to you, continues to evolve – New Cerber ransomware variant generates new hashes every 15 seconds.

[25th May 2016] A version of Cerber that incorporates a DDoS bot:

Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”

Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem

[27th April 2016]  describes for Malwarebytes how Malvertising On The Pirate Bay Drops Ransomware: specifically, Cerber delivered via the Magnitude exploit kit. Commentary by Darren Pauli for The Register: Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads – There is no honour among content thieves. Meanwhile, Team Cymru takes A Look Inside Cerber Ransomware.