​The Evolution of Cerber Ransomware

Ransomware-as-a-Service (RaaS) offering was first identified around May 2015. RaaS is built with an objective to remove the technical hurdles for amateur cyber criminals by providing configurable components, which can be customized as needed based upon the runner's target demography, support services, and the target customers. As a result, the ransomware-derived revenues have reached a new threshold and over the past year hackers have honed and refined their business approach. As of 2016, it is widely believed that ransomware acts as one of the most profitable malware markets to date, which is minting money for cyber criminals and dark web operators.

Cerber, perhaps is the most profitable ransomware among the latest ransomware campaigns. According to the analysis of statistics from counter-compromised affiliate panels, this campaign generated $2.5M in 2016, based on a 40% cut of overall revenues. Having emerged in late February 2016, the Cerber malware has released more than ten editions within 8 months of its operation. Every new variant is featured with external changes, propagation tweaks, and code improvements. In this article, we are going to highlight these versions and provide a big picture of how Cerber malware is evolving.

1) Cerber Version 1

The very first version of Cerber malware was distributed through the Magnitude and Nuclear exploit kits, which had taken the advantage of a 0day Flash exploit. Once the malware entered into the system it began to engage the phishing vector which was completely dependent on the use of harmful email attachments. This malware was intelligent enough to discontinue the attack if the system detected the victim was using Russian interface of Windows operating system.

The first version of Cerber used JSON configuration file, which restricted itself from affecting the people living in a number of Eastern European states. The Trojan was designed to scan all local and external drives along with mapped and unmapped network to find the data entries with extensions that matched its hard-coded list. Then, it encrypted the system's data with AES cipher and appended the .cerber suffix. Besides, once the data is encrypted with AES Cipher the offending program dropped many ransom notes such as # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. It made Cerber Version 1 as the first ransomware which literally gave the warning message to its victims.

2) Cerber2

The second version of the Cerber malware was discovered in August 2016. Unlike its predecessor, Cerber V2 used a dominant spreading technique, which revolved around social engineering rather than the use of exploit kits. Hackers opted to exploit the known vulnerabilities of Microsoft Office macros to infect the system. The targeted people or say windows users would receive a phishing mail with an attachment of .docm files. When downloaded, this document opened up as a blank file and prompts the user to enable macros and to view the content/data. When the user enables macros, the malware is downloaded behind the scene.

Besides, in this version, Cerber Malware has used a different extension to brand the encrypted files viz .cerber2, hence the name of this version. The set of ransom notes remained the same, which are # DECRYPT MY FILES # in .html, .txt and .vbs formats. Added to this, in the second version of this malware, the victim's desktop background was replaced with a scary text that reflected the initial data restoration demands. The warning message had six URLs, including Tor-protected .onion.

3) Cerber3

Cerber Version 2 was short-lived and within a month another version of Cerber was released. Although the differences between V2 and V3 were entirely external, the cryptographic properties remained unaltered. Cerber3 used the same strategy - changing the system desktop background with the same color scheme and wording as in V2. This update only introduced a few superficial adjustments.

4) Cerber 4

The variant currently in the circulation was discovered in early October 2016. As opposed to its forerunner, this edition of Cerber has quite a few new features and enhancements under the hood. It broke the previous successive pattern of encrypted file extensions format viz .cerber[version number]. Instead, it had a random four-character string, which affected every data stored in the system. This new algorithm results in transforming the targeted filename into an entry like oeFKrsVXXv.96b3. The file extension is preceded by 10 gibberish characters.

In Cerber version 4, the victim's files are encoded with the following register key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. The corresponding value is unique to every victim which consists of five hyphenated blocks of hexadecimal characters. Amongst five blocks, the fourth block of the string acts as a new extension that the malware fetches and concatenates to the enciphered files. The malware also uses the first three blocks of the MachineGuid to assign different names to files including the ransomware folder.

Another notable change identified in Cerber ransomware version 4 is its alert message. Unlike its previous version, in V4 the malware creates a single edition of its decryption method called Readme.hta. It is an HTML application which allows the victims to choose their language to read the message. The Cerber ransomware decryptor message says that victims ought to buy a new Cerber decryptor software within five days and if they fail to buy the software, the cost will double. Besides, a countdown timer is integrated into the page that shows the time left to pay the ransom. A noteworthy enhancement of V4 is its Anti-VM technique, which prevents any security tools from accessing the ransomware code in an isolated environment. It is one of the reasons why researchers haven't succeeded in developing a decryption tool.

5) Cerber Ransomware 4.1.1

In this version, for the first time, hackers added the version number of the Cerber malware and this version was released on November 1^st 2016, roughly a month after its previous version. In order to find out the earlier versions of the ransomware, researchers had to reverse engineer the ransomware code. However, this hurdle is no longer an issue as the version number is directly displayed on the desktop wallpaper.

The ransom message of this version reads "Your documents, photos, databases and other important files have been encrypted by Cerber Ransomware 4.1.1." The decryption methods displayed on the wallpaper is same as of its previous version which both analysts and victims are familiar with. Furthermore, in this version, the trojan completely scrambles the documents stored in the system and changes them into random 10-character strings.

6) Cerber Ransomware 4.1.5

The new version of Cerber ransomware was discovered a week later after the previous variant emerged. As in the previous versions, the same ransomware message was displayed, but the version number was replaced with 4.1.5. The ransom notes still used Readme.hta application. Apart from that, there are no significant changes in this version.

Cerber ransomware 4.1.5 uses the social engineering strategy. The carrier of this malware is a Zip file attachment which is camouflaged as an invoice. When the recipient opens the document, it displays nothing and prompts the user to click on "Enable Editing", "Enable Macros" and "Enable Content" by surpassing the security warning messages. It is the most exploited trick, which results in activating macros, which in turn acts as a medium to execute malware code remotely. Another noteworthy characteristic of this version is that it extensively harvests victim's information and transmits these details to C&C servers. This feature clearly indicates that it is not just a ransomware tool, but also a data mining tool, which gives a way to identity theft.

7) Cerber Ransomware 4.1.6

Cerber, with its sophisticated features, has continued to instill fear amongst victims. This version acts as the biggest threat to enterprises as it is designed to utilize a more versatile range of malicious vectors, which use spam and rogue software installers as their medium. Added to this, the cyber criminals were found to use torrent websites to host and distribute malware, thus increasing the number of victims at a rapid pace.

Furthermore, Cerber ransomware 4.1.6 is designed to target the computers that consist of a huge database. This is a wakeup call for companies, particularly those that hold terabytes of customer data and rely on this database to carry out their day-to-day operation. Once the company's machine is infected, the malware spreads across the corporate network and encrypts the entire database. A stronger focus on a large database made the new version of Cerber ransomware even more dangerous.

8) Cerber Ransomware 5.0.0

The Cerber ransomware versions 5.0.0 and 5.0.1 looks similar and are not different from its V4 series. This version still sticks to the same desktop wallpaper theme where the new version number is indicated. It replaces the file name with random 10-Hexadecimal numbers followed by a four-character extension, which is unique to every computer. Nonetheless, the new variants of Cerber have an enhanced proliferation technology, which relies on exploit kit known as RIG-V. It is a high profile ransomware deployment tool that operates through a network of compromised websites and exploits the vulnerabilities found in the software to execute the malware code on computers. Unlike previous proliferation tools, this exploit kit is considered as a "VIP" edition.

9) Cerber HELP_HELP_HELP edition

This edition of Cerber ransomware was discovered in late January 2017. In this version, the ransomware message is highlighted in Red and text is displayed in White color. The mix of Black and Green was put to an end with this version. Although it is purely a cosmetic change, the ransom notes are replaced from readme.hta to HELP_HELP_HELP_(random_8_characters). The HTA represents an HTML application which allows for some customization i.e. the victim is allowed to select the language.

The recovery instructions are similar to its previous version where the victim is expected to download and install .TOR browser to visit the hacker's personal decryption page. In earlier version, cyber criminals gave a grace period of 5 days to pay the ransom, but in this version they have given a grace period of 7 days and if victim fails to pay within the grace time, the ransom will double. Other than the cosmetic changes and the new type of ransom note, it is similar to its predecessors.

10) Cerber's latest Version – RANSOM_CERBER.A

The latest version of Cerber is RANSOM_CERBER. It was discovered in March 2017. This ransomware variant is distributed through malicious ads and uses Nuclear exploit kit. This tool kit is known for exploiting unpatched software such as Java, Acrobat Reader, Adobe Flash Player and Apple QuickTime. RANSOM_CERBER.A encrypts the photos, documents and other files stored in the system after which the victim is instructed to pay the ransom ranging from 1.24 bitcoins to 2.48 bitcoins. In this version, Cerber will trick the user to open a Dropbox link, which is completely controlled by the hacker. As soon as the link is opened, the Cerber payload will be downloaded automatically and extracted, without any user interaction.

Another noteworthy characteristic of this variant is that unlike its previous version, the ransom message is given through a computer-generated voice message. Similar to its predecessors, if the victims fail to pay within the grace time, the ransom will double. According to the Griffin reports, a majority of the victims are from United Kingdom and this malware is expected to spread its wings over time. The most interesting part of this malware is that if it identifies itself running in counties from the Commonwealth of Independent States such as Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, it terminates itself and does not harm the users data.

Besides, this version of Cerber malware was discovered to be using WSF (Windows Script Files) via double zipped files and sent as an email attachment. The unusual use of WSF helped this malware to bypass the spam filters and security software as the malicious files camouflaged itself as a legitimate invoice and billing document. Furthermore, the developers added a DDoS (Distributed Denial of Service) component to the malware. Unlike previous versions which merely encrypted the file – this version of Cerber malware integrates botnets, which are used to execute DDoS attacks.