A new ransomware threat speaks to its victim to inform them that it has successfully encrypted their files.
The malware, which goes by the name “Cerber,” was first detected by malware analysts @BiebsMalwareGuy and @MeegulWorth earlier this week. It encrypts users’ files using AES encryption and demands that victims pay a ransom of 1.24 Bitcoins, or approximately US $500.
Lawrence Abrams of Bleeping Computer explains in a blog post that the ransomware commences its encryption cycle by first checking to see if the victim appears to be from a list of eastern European countries.
If they are, the malware terminates. If not, it installs itself as a random Windows executable that is configured to execute once every minute. When this happens, it displays a randomly chosen fake system alert that attempts to trick the user into accepting a system shutdown.
Here is an example:
You are about to be logged off
This directory service is shutting down, and cannot take ownership of new floating single-master operation roles.
Those alerts continue to pop up until the user allows the restart to occur.
If the user accepts, the computer boots up into Safe Mode and requests the victim’s login credentials. Once they are entered, the computer reboots into Normal mode. It is then that the ransomware begins wreaking havoc with the victim’s files by encrypting each document’s filename and adding a .CERBER extension to it.
But that’s not all the malware has up its sleeve, according to Abrams:
“Cerber contains the ability to scan for and enumerate unmapped Windows shares and encrypt any data that is found on them. If the network setting is set to 1 in the configuration file, then Cerber will search for and encrypt any accessible network shares on your network, even if those shares are not mapped to the computer.”
The researcher notes that this feature is currently turned off. All the same, it is recommended that sysadmins harden the security of their network shares given the increasing frequency with which newer forms of ransomware are incorporating this functionality.
When all is said and done, Cerber generates three ransom notes. One of the messages, entitled “# DECRYPT MY FILES #.vbs,” contains VBScript, which allows the computer to speak the ransom message to the victim.
At this point, there’s no way to unlock any files encrypted by the malware for free unless the victim pays the ransom fee. (It is worth noting that the ransomware author’s demands will double to approximately US $1000 if the fee has not been paid in a week.
The fact that Cerber has the ability to target network shares, not to mention its decryptor’s compatibility with 12 difference languages, attests to the increasing sophistication of today’s ransomware campaigns. It is therefore recommended that users maintain regular backups of their data, that they avoid clicking on suspicious link, and that they maintain an updated anti-virus solution on their machines.
Together, these best security practices can protect you from Cerber ruining your afternoon with a nasty shout-out and an encrypted computer.