Ransom.Win32.CERBER.B

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{8 Random Characters}\{4 Random Characters}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\netsh.exe advfirewall set allprofiles state on
• %System%\netsh.exe advfirewall reset
• %System%\netsh.exe advfirewall firewall add rule name="{10 Random Characters}" dir=out action=block program="%Program Files%\Windows Defender\MpCmdRun.exe"
• %System%\netsh.exe advfirewall firewall add rule name="{10 Random Characters}" dir=out action=block program="%Program Files%\Windows Defender\MSASCui.exe"
• %Desktop%\_R_E_A_D___T_H_I_S___{Random Characters}_.txt
• %Desktop%\_R_E_A_D___T_H_I_S___{Random Characters}_.hta

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• shell.{Infected Machine's GUID}

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USERS\Control Panel\Desktop
Wallpaper = %User Temp%\tmp{4 Random Characters}.bmp

Other Details

This Ransomware connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.158.0 to http://{BLOCKED}.{BLOCKED}.158.31 on Port 6893 → Sends out hashed gathered information
• http://{BLOCKED}.{BLOCKED}.159.0 to http://{BLOCKED}.{BLOCKED}.159.31 on Port 6893 → Sends out hashed gathered information
• http://{BLOCKED}.{BLOCKED}.160.0 to http://{BLOCKED}.{BLOCKED}.163.255 on Port 6893 → Sends out hashed gathered information

It does the following:

• It avoids encrypting the files in the system if the machine's language is included in the following:
  • 1049 = Russian
  • 1058 = Ukrainian
  • 1059 = Belarusian
  • 1064 = Tajik
  • 1067 = Armenian - Armenia
  • 1068 = Azeri (Latin)
  • 1079 = Georgian
  • 1087 = Kazakh
  • 1088 = Kyrgz (Cyrilic)
  • 1090 = Turkmen
  • 1091 = Uzbek (Latin)
  • 1092 = Tatar
  • 2072 = Romanian - Moldava
  • 2073 = Russian - Moldava
  • 2092 = Azeri (Cyrillic)
  • 2115 = Uzbek (Cyrillic)
• It gathers the following information and sends it to the malicious URLs to establish connection:
  • Machine GUID
  • OS Information
  • If the machine is a 64-bit machine
  • If the user is an administrator
  • Total count of files
  • Reason for malware to stop executing
  • Status information
• It connects to the following URLs upon opening the .HTA ransom note or generating a new link:
  • http://api.{BLOCKED}ypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_={13 Random Characters}
  • http://btc.{BLOCKED}.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_={13 Random Characters}
  • http://{BLOCKED}.com
  • http://{BLOCKED}n.so
• It skips the first 1,800 bytes in encrypting the files.
• It does not encrypt the file if the file size is less than 2048 bytes.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .123
• .1cd
• .3dm
• .3ds
• .3fr
• .3g2
• .3gp
• .3pr
• .602
• .7z
• .7zip
• .aac
• .ab4
• .abd
• .acc
• .accdb
• .accde
• .accdr
• .accdt
• .ach
• .acr
• .act
• .adb
• .adp
• .ads
• .aes
• .agdl
• .ai
• .aiff
• .ait
• .al
• .aoi
• .apj
• .apk
• .arc
• .arw
• .ascx
• .asf
• .asm
• .asp
• .aspx
• .asset
• .asx
• .atb
• .avi
• .awg
• .back
• .backup
• .backupdb
• .bak
• .bank
• .bat
• .bay
• .bdb
• .bgt
• .bik
• .bin
• .bkp
• .blend
• .bmp
• .bpw
• .brd
• .bsa
• .bz2
• .c
• .cash
• .cdb
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .ce1
• .ce2
• .cer
• .cfg
• .cfn
• .cgm
• .cib
• .class
• .cls
• .cmd
• .cmt
• .config
• .contact
• .cpi
• .cpp
• .cr2
• .craw
• .crt
• .crw
• .cry
• .cs
• .csh
• .csl
• .csr
• .css
• .csv
• .d3dbsp
• .dac
• .das
• .dat
• .db
• .db3
• .db_journal
• .dbf
• .dbx
• .dc2
• .dch
• .dcr
• .dcs
• .ddd
• .ddoc
• .ddrw
• .dds
• .def
• .der
• .des
• .design
• .dgc
• .dgn
• .dif
• .dip
• .dit
• .djv
• .djvu
• .dng
• .doc
• .docb
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .drf
• .drw
• .dtd
• .dwg
• .dxb
• .dxf
• .dxg
• .edb
• .eml
• .eps
• .erbsql
• .erf
• .exf
• .fdb
• .ffd
• .fff
• .fh
• .fhd
• .fla
• .flac
• .flb
• .flf
• .flv
• .forge
• .fpx
• .frm
• .fxg
• .gbr
• .gho
• .gif
• .gpg
• .gray
• .grey
• .groups
• .gry
• .gz
• .h
• .hbk
• .hdd
• .hpp
• .html
• .hwp
• .ibank
• .ibd
• .ibz
• .idx
• .iif
• .iiq
• .incpas
• .indd
• .info
• .info_
• .iwi
• .jar
• .java
• .jnt
• .jpe
• .jpeg
• .jpg
• .js
• .json
• .k2p
• .kc2
• .kdbx
• .kdc
• .key
• .kpdx
• .kwm
• .laccdb
• .lay
• .lay6
• .lbf
• .lck
• .ldf
• .lit
• .litemod
• .litesql
• .lock
• .ltx
• .lua
• .m
• .m2ts
• .m3u
• .m4a
• .m4p
• .m4u
• .m4v
• .ma
• .mab
• .mapimail
• .max
• .mbx
• .md
• .mdb
• .mdc
• .mdf
• .mef
• .mfw
• .mid
• .mkv
• .mlb
• .mml
• .mmw
• .mny
• .money
• .moneywell
• .mos
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mrw
• .ms11
• .msf
• .msg
• .mts
• .myd
• .myi
• .nd
• .ndd
• .ndf
• .nef
• .nk2
• .nop
• .nrw
• .ns2
• .ns3
• .ns4
• .nsd
• .nsf
• .nsg
• .nsh
• .nvram
• .nwb
• .nx2
• .nxl
• .nyf
• .oab
• .obj
• .odb
• .odc
• .odf
• .odg
• .odm
• .odp
• .ods
• .odt
• .ogg
• .oil
• .omg
• .one
• .onenotec2
• .orf
• .ost
• .otg
• .oth
• .otp
• .ots
• .ott
• .p12
• .p7b
• .p7c
• .pab
• .pages
• .paq
• .pas
• .pat
• .pbf
• .pcd
• .pct
• .pdb
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .php
• .pif
• .pl
• .plc
• .plus_muhd
• .pm
• .pm!
• .pmi
• .pmj
• .pml
• .pmm
• .pmo
• .pmr
• .pnc
• .pnd
• .png
• .pnx
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .prf
• .private
• .ps
• .psafe3
• .psd
• .pspimage
• .pst
• .ptx
• .pub
• .pwm
• .py
• .qba
• .qbb
• .qbm
• .qbr
• .qbw
• .qbx
• .qby
• .qcow
• .qcow2
• .qed
• .qtb
• .r3d
• .raf
• .rar
• .rat
• .raw
• .rb
• .rdb
• .re4
• .rm
• .rtf
• .rvt
• .rw2
• .rwl
• .rwz
• .s3db
• .safe
• .sas7bdat
• .sav
• .save
• .say
• .sch
• .sd0
• .sda
• .sdb
• .sdf
• .secret
• .sh
• .sldm
• .sldx
• .slk
• .slm
• .sql
• .sqlite
• .sqlite-shm
• .sqlite-wal
• .sqlite3
• .sqlitedb
• .sr2
• .srb
• .srf
• .srs
• .srt
• .srw
• .st4
• .st5
• .st6
• .st7
• .st8
• .stc
• .std
• .sti
• .stl
• .stm
• .stw
• .stx
• .svg
• .swf
• .sxc
• .sxd
• .sxg
• .sxi
• .sxm
• .sxw
• .tar
• .tax
• .tbb
• .tbk
• .tbn
• .tex
• .tga
• .tgz
• .thm
• .tif
• .tiff
• .tlg
• .tlx
• .txt
• .uop
• .uot
• .upk
• .usr
• .vb
• .vbox
• .vbs
• .vdi
• .vhd
• .vhdx
• .vmdk
• .vmsd
• .vmx
• .vmxf
• .vob
• .vpd
• .vsd
• .wab
• .wad
• .wallet
• .war
• .wav
• .wb2
• .wk1
• .wks
• .wma
• .wmf
• .wmv
• .wpd
• .wps
• .x11
• .x3f
• .xis
• .xla
• .xlam
• .xlc
• .xlk
• .xlm
• .xlr
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .xxx
• .ycbcra
• .yuv
• .zip

It avoids encrypting files with the following strings in their file name:

• bootsect.bak
• iconcache.db
• ntuser.dat
• thumbs.db

It avoids encrypting files with the following strings in their file path:

• \$getcurrent\
• \$recycle.bin\
• \$windows.~bt\
• \$windows.~ws\
• \boot\
• \documents and settings\all users\
• \documents and settings\default user\
• \documents and settings\localservice\
• \documents and settings\networkservice\
• \intel\
• \msocache\
• \perflogs\
• \program files (x86)\
• \program files\
• \programdata\
• \recovery\
• \recycled\
• \recycler\
• \system volume information\
• \temp\
• \windows.old\
• \windows10upgrade\
• \windows\
• \winnt\
• \appdata\local\
• \appdata\locallow\
• \appdata\roaming\
• \local settings\
• \public\music\sample music\
• \public\pictures\sample pictures\
• \public\videos\sample videos\
• \tor browser\

It renames encrypted files using the following names:

• {10 Random Characters}.ab22

It drops the following file(s) as ransom note:

• {Infected Folders}\_R_E_A_D___T_H_I_S___{Random Characters}_.hta
  
• {Infected Folders}\_R_E_A_D___T_H_I_S___{Random Characters}_.txt
  

It avoids encrypting files with the following file extensions:

• .cpl
• .dll
• .exe
• .hta
• .msc
• .msi
• .msp
• .pfi
• .scf
• .scr
• .sys
• .ab22