Cerber has become one of the most notorious and popular ransomware families in 2016. It has used a wide variety of tactics including leveraging cloud platforms and Windows Scripting and adding non-ransomware behavior such as distributed denial-of-service attacks to its arsenal. One reason for this popularity may be because it is frequently bought and sold as a service (ransomware-as-a-service, or RaaS).
The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits.
Users are typically redirected to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload.
In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious.
Figure 1. Rig exploit kit redirection chain
Figure 2. Magnitude exploit kit redirection chain
Beyond those differences, however, Cerber remains the same. The initial ransom note uses wording that is essentially unchanged from previous versions:
Figure 3. Cerber 3.0 ransom note
The payment note is also similar to earlier variants, even offering a “discount”. Perhaps to reflect the ever-changing exchange rate of Bitcoins, the amount demanded has also changed. In the first version, Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC.
Figure 4. Cerber version 3 ransom note
The encrypted files are renamed to have the *.cerber3 file extension. Shadow copies are also deleted by the ransomware, to prevent any backups based on this feature from being restored. It also uses a female voice to let users know that their files have been encrypted—like the initial version of Cerber did.
Solutions and Mitigation
The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location.
A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended.
Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
The following SHA1 hashes were involved in this attack:
- C60AB834453E6C1865EA2A06E4C19EA83982C1F9 – detected as RANSOM_CERBER.DLEY
- E9508FA87D78BC01A92E4FDBCD3D14B2836BC0E2 – detected as RANSOM_CERBER.DLEZ
Additional analysis by Mary Yambao
Updated on September 1, 2016, 7:00 PM (UTC-7):
Figure 1 and Figure 2 were updated.
Updated on September 6, 2016, 2:15 AM (UTC-7):
Ransom_CERBER.DLEY has been renamed to Ransom_CERBER.DLEZ.