RANSOM_CERBER.DLEZ
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.
It connects to certain websites to send and receive information. It terminates itself if it detects it is being run in a virtual environment. It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following component file(s):
- {folders containing encrypted files}\# HELPDECRYPT #.html
- {folders containing encrypted files}\# HELPDECRYPT #.txt
- {folders containing encrypted files}\# HELPDECRYPT #.url
- %Desktop%\# HELPDECRYPT #.html
- %Desktop%\# HELPDECRYPT #.txt
- %Desktop%\# HELPDECRYPT #.url
- %Application Data%\{random file names}
- %Application Data%\{filename}.png
(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.
Other Details
This Trojan connects to the following website to send and receive information:
- Uses IP range {BLOCKED}.{BLOCKED}.234.0/23 via port 6892
It sends the following information:- MD5_KEY
- PARTNER_ID
- OS
- IS_X64
- IS_ADMIN
- COUNT_FILES
- STOP_REASON
It encrypts files with the following extensions:
- .1cd
- .3dm
- .3ds
- .3fr
- .3g2
- .3gp
- .3pr
- .7z
- .7zip
- .aac
- .ab4
- .abd
- .acc
- .accdb
- .accde
- .accdr
- .accdt
- .ach
- .acr
- .act
- .adb
- .adp
- .ads
- .agdl
- .ai
- .aiff
- .ait
- .al
- .aoi
- .apj
- .apk
- .arw
- .ascx
- .asf
- .asm
- .asp
- .aspx
- .asset
- .asx
- .atb
- .avi
- .awg
- .back
- .backup
- .backupdb
- .bak
- .bank
- .bay
- .bdb
- .bgt
- .bik
- .bin
- .bkp
- .blend
- .bmp
- .bpw
- .bsa
- .c
- .cash
- .cdb
- .cdf
- .cdr
- .cdr3
- .cdr4
- .cdr5
- .cdr6
- .cdrw
- .cdx
- .ce1
- .ce2
- .cer
- .cfg
- .cfn
- .cgm
- .cib
- .class
- .cls
- .cmt
- .config
- .contact
- .cpi
- .cpp
- .cr2
- .craw
- .crt
- .crw
- .cry
- .cs
- .csh
- .csl
- .css
- .csv
- .d3dbsp
- .dac
- .das
- .dat
- .db
- .db3
- .db_journal
- .dbf
- .dbx
- .dc2
- .dcr
- .dcs
- .ddd
- .ddoc
- .ddrw
- .dds
- .def
- .der
- .des
- .design
- .dgc
- .dgn
- .dit
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .drf
- .drw
- .dtd
- .dwg
- .dxb
- .dxf
- .dxg
- .edb
- .eml
- .eps
- .erbsql
- .erf
- .exf
- .fdb
- .ffd
- .fff
- .fh
- .fhd
- .fla
- .flac
- .flb
- .flf
- .flv
- .flvv
- .forge
- .fpx
- .fxg
- .gbr
- .gho
- .gif
- .gray
- .grey
- .groups
- .gry
- .h
- .hbk
- .hdd
- .hpp
- .html
- .ibank
- .ibd
- .ibz
- .idx
- .iif
- .iiq
- .incpas
- .indd
- .info
- .info_
- .ini
- .iwi
- .jar
- .java
- .jnt
- .jpe
- .jpeg
- .jpg
- .js
- .json
- .k2p
- .kc2
- .kdbx
- .kdc
- .key
- .kpdx
- .kwm
- .laccdb
- .lbf
- .lck
- .ldf
- .lit
- .litemod
- .litesql
- .lock
- .log
- .ltx
- .lua
- .m
- .m2ts
- .m3u
- .m4a
- .m4p
- .m4v
- .ma
- .mab
- .mapimail
- .max
- .mbx
- .md
- .mdb
- .mdc
- .mdf
- .mef
- .mfw
- .mid
- .mkv
- .mlb
- .mmw
- .mny
- .money
- .moneywell
- .mos
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .mrw
- .msf
- .msg
- .myd
- .nd
- .ndd
- .ndf
- .nef
- .nk2
- .nop
- .nrw
- .ns2
- .ns3
- .ns4
- .nsd
- .nsf
- .nsg
- .nsh
- .nvram
- .nwb
- .nx2
- .nxl
- .nyf
- .oab
- .obj
- .odb
- .odc
- .odf
- .odg
- .odm
- .odp
- .ods
- .odt
- .ogg
- .oil
- .omg
- .one
- .orf
- .ost
- .otg
- .oth
- .otp
- .ots
- .ott
- .p12
- .p7b
- .p7c
- .pab
- .pages
- .pas
- .pat
- .pbf
- .pcd
- .pct
- .pdb
- .pdd
- .pef
- .pem
- .pfx
- .php
- .pif
- .pl
- .plc
- .plus_muhd
- .pm
- .pm!
- .pmi
- .pmj
- .pml
- .pmm
- .pmo
- .pmr
- .pnc
- .pnd
- .png
- .pnx
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptx
- .prf
- .private
- .ps
- .psafe3
- .psd
- .pspimage
- .pst
- .ptx
- .pub
- .pwm
- .py
- .qba
- .qbb
- .qbm
- .qbr
- .qbw
- .qbx
- .qby
- .qcow
- .qcow2
- .qed
- .qtb
- .r3d
- .raf
- .rar
- .rat
- .raw
- .rdb
- .re4
- .rm
- .rtf
- .rvt
- .rw2
- .rwl
- .rwz
- .s3db
- .safe
- .sas7bdat
- .sav
- .save
- .say
- .sd0
- .sda
- .sdb
- .sdf
- .sh
- .sldm
- .sldx
- .slm
- .sql
- .sqlite
- .sqlite-shm
- .sqlite-wal
- .sqlite3
- .sqlitedb
- .sr2
- .srb
- .srf
- .srs
- .srt
- .srw
- .st4
- .st5
- .st6
- .st7
- .st8
- .stc
- .std
- .sti
- .stl
- .stm
- .stw
- .stx
- .svg
- .swf
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .tax
- .tbb
- .tbk
- .tbn
- .tex
- .tga
- .thm
- .tif
- .tiff
- .tlg
- .tlx
- .txt
- .upk
- .usr
- .vbox
- .vdi
- .vhd
- .vhdx
- .vmdk
- .vmsd
- .vmx
- .vmxf
- .vob
- .vpd
- .vsd
- .wab
- .wad
- .wallet
- .war
- .wav
- .wb2
- .wma
- .wmf
- .wmv
- .wpd
- .wps
- .x11
- .x3f
- .xis
- .xla
- .xlam
- .xlk
- .xlm
- .xlr
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .xps
- .xxx
- .ycbcra
- .yuv
- .zip
It renames encrypted files using the following names:
- {random name}.cerber3
It terminates itself if it detects it is being run in a virtual environment.
It does the following:
- It terminates itself if found running in any of the following countries:
- Armenia
- Azerbaijan
- Belarus
- Georgia
- Kyrgyzstan
- Kazakhstan
- Moldova
- Russia
- Turkmenistan
- Tajikistan
- Ukraine
- Uzbekistan
- It avoids encrypting the following files:
- bootsect.bak
- iconcache.db
- ntuser.dat
- thumbs.db
- It skips to encrypt the following paths:
- :\\$recycle.bin\\
- :\\$windows.~bt\\
- :\\boot\\
- :\\documents and settings\\all users\\
- :\\documents and settings\\default user\\
- :\\documents and settings\\localservice\\
- :\\documents and settings\\networkservice\\
- :\\program files\\
- :\\program files (x86)\\
- :\\programdata\\
- :\\recovery\\
- :\\recycler\\
- :\\users\\all users\\
- :\\windows\\
- :\\windows.old\\
- \\appdata\\local\\
- \\appdata\\locallow\\
- \\appdata\\roaming\\adobe\\flash player\\
- \\appData\\roaming\\apple computer\\safari\\
- \\appdata\\roaming\\ati\\
- \\appdata\\roaming\\intel\\
- \\appdata\\roaming\\intel corporation\\
- \\appdata\\roaming\\google\\
- \\appdata\\roaming\\macromedia\\flash player\\
- \\appdata\\roaming\\mozilla\\
- \\appdata\\roaming\\nvidia\\
- \\appdata\\roaming\\opera\\
- \\appdata\\roaming\\opera software\\
- \\appdata\\roaming\\microsoft\\internet explorer\\
- \\appdata\\roaming\\microsoft\\windows\\
- \\application data\\microsoft\\
- \\local settings\\
- \\public\\music\\sample music\\
- \\public\\pictures\\sample pictures\\
- \\public\\videos\\sample videos\\
- \\tor browser\\
- It executes the dropped VBS component which is responsible for speaking the following message:
- "Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!"
- It deletes all shadow copies by executing the following command:
- vssadmin.exe delete shadows /all /quiet
WMIC.exe shadowcopy delete
- vssadmin.exe delete shadows /all /quiet
- It disables Windows Startup Repair by executing the following command:
- bcdedit.exe /set {default} recoveryenabled no
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- It is configured to target related files under the following folders:
- :\\documents and settings\\all users\\documents\\
- \\appdata\\roaming\\microsoft\\office\\
- \\excel\\
- \\microsoft sql server\\
- \\onenote\\
- \\outlook\\
- \\powerpoint\\
- \\steam\\
- \\the bat!\\
- \\thunderbird\\
It deletes the initially executed copy of itself
NOTES:
This ransomware changes the wallpaper with the following image:
It opens the dropped ransom notes after encrypting the files:
It makes sure that no automation is accessing their servers by adding captcha in their payment system:
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Scan your computer with your Trend Micro product and note files detected as RANSOM_CERBER.DLEZ
Step 4
Restart in Safe Mode
Step 5
Search and delete these files
- {folders containing encrypted files}\# HELPDECRYPT #.html
- {folders containing encrypted files}\# HELPDECRYPT #.txt
- {folders containing encrypted files}\# HELPDECRYPT #.url
- %Desktop%\# HELPDECRYPT #.html
- %Desktop%\# HELPDECRYPT #.txt
- %Desktop%\# HELPDECRYPT #.url
- %Application Data%\{random file names}
- %Application Data%\{filename}.png
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as RANSOM_CERBER.DLEZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 7
Restore encrypted files from backup.
Did this description help? Tell us how we did.