“Attention! Attention! Attention!”
“Your documents, photos, databases and other important files have been encrypted!”
Think about this, all your important files on the system are encrypted by no less than ransomware. Soon after, you receive ransom notes, one of which reads out the message and informs you that your files are held for ransom unless you pay the sum money.
No other Crypto-ransomware variant has a ‘voice’ capability to verbally move users into action until RANSOM_CERBER.A emerged in the threat landscape. It plays the above message using a computer-generated voice. Below is the sample of the audio clip file:
Typically, this type of threat displays images containing instructions on how to pay the ransom and retrieve the files. This innovative technique is reminiscent of one of the variants of REVETON, otherwise known as police ransomware that can also ‘speak’ in a language depending on where the user is located or based from.
Figure 1. Sample ransom note
Based on our investigation, CERBER only uses English language; however, once users clicked on the link via Tor browser, it points to page asking users which language to employ. Even though the landing page offers various languages, only English works, as of posting. The cybercriminals behind CERBER requires users to pay 1.24 BTC (~US$523, as of March 4, 2016), which will increase up to 2.48 BTC (~US$1046, as of March 4, 2016) in seven days’ time.
Figure 2. Landing page asking for language preference
We also discovered that CERBER comes with a configuration file in the .json format (this file format is commonly used to transmit and store data which is defined in attribute-value pairs). Peeking closer at this config file we discover that this particular ransomware is quite easily customizable – allowing the owner to change the ransom note, the targeted extensions as well as blacklist countries. This suggests that CERBER itself was designed to be sold to other enterprising cybercriminals, to be tailor-fit for their needs.
Figure 3 and 4. CERBER config file code primed for customization
Based on our Trend Micro Smart Protection Network feedback, the Nuclear exploit kit is distributing this malware via malvertisements. The Nuclear exploit kit is one of the most popular kits in use today, second only to the even more notorious Angler exploit kit.
Currently, all servers hosting these malvertisements are now inaccessible. Some reports mentioned that CERBER is being peddled in the Russian underground market as ransomware-as-service (RaaS). This not only proves the suggestion presented by the configuration file’s code above, but also confirms that we will be seeing more of CERBER in the near future.
A lesson in backing up files
Ransomware remains to be a prevalent threat due to a combination of effective social engineering lures and capabilities. Knowing how these threats operate can aid users and enterprises in securing their crucial data. At the very least, it is best to back up important files on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. It’s also important to remember not to succumb and pay the ransom as cybercriminals may potentially target the same users, knowing that they have the capability to pay. In addition, keeping your system up-to-date is a must to defend your system against exploit kits that deliver the ransomware payload.
Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security is able to detect the malicious file and block all related malicious URLs to protect users from this threat.
SHA1s for related files:
Additional analysis by Ruby Santos and Joseph C. Chen