Cerber Ransomware Not Only Encrypts Data But also Speaks to You

Cerber Ransomware has been in news since it has been written by hackers lately. It uses AES Encryption to encrypt the files stored on victim’s computer. Later it seeks ransom amounting to $500 which is approx 1.24 bitcoins for getting the files restored. It was made clear only after analyzing the facts using sample of encrypted data. Cerber is yet another variant of crypto ransomware that often gets distributed through spam and malicious attachments. Downloading macro attachments as headers given an easy way to infiltrate Windows Computer. This is why users must be careful, if they are downloading any such files, there is a high risk of Crypto Ransomware to get installed on to the system and hack files for demanding ransom.

Strategy Used by Hackers through Cerber Ransomware Variant

It uses unique strategy unlike other ransomware not to target Computers of specific region around Easter European Countries. This is done by commencing the initial stages of encryption cycle. It does not infects the system of European Countries. If the system is found to be of that specific region, precisely  as

Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan

http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/

 it simply does not encrypts the files of the Countries and specific area that are stated above. This can be regarded as a big relief for the users residing over there. However, others are not as lucky as their system is very much vulnerable for Cerber Ransomware attack. Once, infected it will attack the files present and will bring the PC to a complete halt. Thereafter users need to re-boot the PC in safe mode. Doing so will configure this nasty ransomware on to the PC automatically. Thus it will encrypt the files and will seek for ransom using AES encryption technique and algorithm. It can be noticed that the files get renamed by some random texts and characters and most importantly the extension gets modified to .cerber.

cerber encrypted-files

The very noxious nature of the ransomware can be estimated by the fact it scans Windows on unmapped network and is capable to encrypt all files and data found on the hard drive as well as that are shared on the network. If it finds configuration file settings preset as 1, Cerber ransomware searches for other networks that can be accessible by this malware. It scans the compromised computer and look for the files which matches with any of the extensions. If any how it happens to find out the file extension on the hard drive, it instantly encrypts the data using AES-256 encryption and adds .cerber extension to it. Hardly there are any files extensions which goes unencrypted from the clutches of this nasty Cerber Ransomware. However it is found that there are certain file names viz., wallet.dat, iconcache.db, thumbs.db, or bootsect.bak that are not encrypted and these files simply skip the process of encryption.

:\$recycle.bin\
:\$windows.~bt\
:\boot\
:\drivers\
:\program files\
:\program files (x86)\
:\programdata\
:\users\all users\
:\windows\
\appdata\local\
\appdata\locallow\
\appdata\roaming\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\

network-setting

It is known to attach 3 ransom notes of following formats # DECRYPT MY FILES #.txt, # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.vbs. Out of these 3 the ransom note # DECRYPT MY FILES #.vbs uses VBScript that makes compromised system to speak out to users. As soon as the file gets executed and the script get installed users will get to hear an audible message regarding files have been encrypted and goes on repeating several times. This creates a state of panic for the victims and they pay the ransom in heltor skeltor.

decrypt-files-vbs

for details: https://www.grahamcluley.com/2016/03/ransomware-speaks/