Cerber ransomware speaks to you: 'Your files are encrypted'

If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem.

Ransomware sample speaks to you to let you know your files have been encrypted

A new ransomware threat speaks to its victim to inform them that it has successfully encrypted their files.

The malware, which goes by the name "Cerber," was first detected by malware analysts @BiebsMalwareGuy and @MeegulWorth earlier this week. It encrypts users' files using AES encryption and demands that victims pay a ransom of 1.24 Bitcoins, or approximately US $500.

Lawrence Abrams of Bleeping Computer explains in a blog post that the ransomware commences its encryption cycle by first checking to see if the victim appears to be from a list of eastern European countries.

If they are, the malware terminates. If not, it installs itself as a random Windows executable that is configured to execute once every minute. When this happens, it displays a randomly chosen fake system alert that attempts to trick the user into accepting a system shutdown.

Here is an example:

You are about to be logged off

This directory service is shutting down, and cannot take ownership of new floating single-master operation roles.

Those alerts continue to pop up until the user allows the restart to occur.

If the user accepts, the computer boots up into Safe Mode and requests the victim's login credentials. Once they are entered, the computer reboots into Normal mode. It is then that the ransomware begins wreaking havoc with the victim's files by encrypting each document's filename and adding a .CERBER extension to it.

But that's not all the malware has up its sleeve, according to Abrams:

"Cerber contains the ability to scan for and enumerate unmapped Windows shares and encrypt any data that is found on them. If the network setting is set to 1 in the configuration file, then Cerber will search for and encrypt any accessible network shares on your network, even if those shares are not mapped to the computer."

Network setting

The researcher notes that this feature is currently turned off. All the same, it is recommended that sysadmins harden the security of their network shares given the increasing frequency with which newer forms of ransomware are incorporating this functionality.

When all is said and done, Cerber generates three ransom notes. One of the messages, entitled "# DECRYPT MY FILES #.vbs," contains VBScript, which allows the computer to speak the ransom message to the victim.

Decrypt files vbs

At this point, there's no way to unlock any files encrypted by the malware for free unless the victim pays the ransom fee. (It is worth noting that the ransomware author's demands will double to approximately US $1000 if the fee has not been paid in a week.

The fact that Cerber has the ability to target network shares, not to mention its decryptor's compatibility with 12 difference languages, attests to the increasing sophistication of today's ransomware campaigns. It is therefore recommended that users maintain regular backups of their data, that they avoid clicking on suspicious link, and that they maintain an updated anti-virus solution on their machines.

Together, these best security practices can protect you from Cerber ruining your afternoon with a nasty shout-out and an encrypted computer.

Have you ever been hit by ransomware?

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

8 Responses

  1. coyote

    March 7, 2016 at 7:41 pm #

    You know as much as I hate the lack of ethics/morals of ransomware (or more generally lack of ethics/morals)… the ones who really are the problem are those who pay out. Those behind the ransomware are only profiting off of humans who do what they think is the easiest (and in such a thing it isn't the easiest; backing up [testing recovery as well] is the easiest and if not it certainly is the least devastating [even without ransomware]) which so happens to be from ignorance – and sometimes (and I think I'm being rather generous adding 'sometimes') stupidity. I can't say I blame them any more[1] than when governments (for one example) do the same thing. What they do is certainly unethical but it does pay and many corporations (another example) also have unethical policies – and profit from it.

    If people weren't so afraid of preparing they wouldn't have nearly as much trouble here. But I don't see this improving. It'll only get worse until people wake up (and I'd be surprised if that happened) because more ransomware will be created and more techniques (not only technical) will be created as well.

    [1] Which isn’t to say that I find it acceptable. But they are making money and money is typically needed to survive. I don’t approve of the way they do it but they still are doing what most everyone else does (only profiting at the expense of others instead of maybe offering products of use). Yet in some ways I find it less acceptable when governments do it because you’d like to believe they would be a good example of how to behave whereas malicious/rogue gangs is where you’d not be surprised to find these types of things. Not saying that governments participate in ransomware but they certainly work with malware. Malware is malware and it harms everyone even if only by wasting resources.

    • __JMM__ in reply to coyote.

      March 8, 2016 at 1:38 pm #

      It's also illegal.

  2. Leigh

    March 26, 2016 at 7:13 am #

    Got an alternative? I'm a musician and author and I've just lost ALL my files – including everything on the flash drive that was inserted in the computer. Which, sadly, is where everything was backed up!

  3. karthik nithyanandam

    April 3, 2016 at 7:41 am #

    i have lost all my files to encryption how to recover ??

  4. Rob

    April 9, 2016 at 12:41 pm #

    I wish more people knew about dual booting with a Linux OS…I never have to deal with these Windows issues

  5. woon

    April 14, 2016 at 8:48 pm #

    Half of my files are back with a help of decryprtor from Bleeping Computer forum http://www.bleepingcomputer.com/forums/t/606583/cerber-ransomware-support-and-help-topic-decrypt-my-files-htmltxtvbs/ and this removal guide – http://manual-removal.com/cerber/

  6. Jolanda

    May 22, 2016 at 12:33 am #

    @ Woon — what, exactly did you do? The forum is 25 pages and I'm not sure which advice you used…

  7. George

    April 7, 2017 at 11:00 am #

    You can use an Anti-Malware like MalwareFox to remove the virus, the restoration of your files is another story though.

Leave a Reply