Cerber ransomware first appeared in February 2016, and according to initial reports (by SenseCy) it was offered in the form of Ransomware-as-a-Service (RaaS), where affiliates can join in order to distribute the ransomware, while the Cerber developers earn a commission from each ransom payment. Cyren is now detecting fresh outbreaks of Cerber ransomware being distributed using variants of a popular malware distribution tool known as “Nemucod”.
Cerber ransom message on victim’s PC
We started seeing this variant late last year. The current versions include minor modification to avoid being detected including a lot of garbage code such as useless functions and variables. The malicious code is inserted in a function in between garbage codes and is not hidden by any encryption.
The malware code is just a few lines. Cleaning up the garbage code enables us to easily identify the goal of the malware: try to download a file and execute it. The download filename “cer.jpg” already provides a hint about the payload. Once downloaded, the .jpg extension is replaced with .exe allowing execution of the ransomware.
For this wave, slightly more effort was put into hiding the malware code. The file also contains garbage code and the encryption routine is put in a Function Constructor.
With a little bit of magic dust (modification to the file), the malware code is revealed! The code is much longer but the behavior is the same. It will try to download the payload “cer.jpg” on the same site.
Late last year, this same site was used to download the payload “c.jpg”. As shown above, the same address 188.8.131.52 is now hosting “cer.jpg”. We note that 184.108.40.206 has a history of distributing other malware.
Hashes of the files used for this blog:
- DOC8342682916-PDF.js – 1350a98acfe1eea524f8122c4b85b47031e3a610eaa9305430fbe50d2eed4ee2
- DOC6248311426-PDF.js – d122f97d5ff55594254d25853bc6b891206c8a1e77e4425a5a986e03eb98606c
- Cerber Ransomware Payload: cer.jpg – 0b0470c1e0494cce7f2f638841070bc9e2d5ae239379681a60166999356b7da7
Once activated the Cerber ransomware encrypts a wide range of document and image files and then places the following message in each folder. There is currently no free decryptor available for Cerber.
Additional information provided by Cyren researchers Maharlito Aquino and Igor Glik.