New variant of Cerber Ransomware Spotted in the Wild (Aug 26, 2016).
The Dell Sonicwall Threats Research team observed reports of a new variant family of Cerber [GAV: Cerber.B_1] actively spreading in the wild.
Cerber encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image002.png)
The Malware adds the following files to the system:
-
Encrypted.exe
-
%Userprofile%Application Data{3FF660B5-E586-7A17-366C-2ED2759DA927}lpq.exe
-
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
-
%Userprofile%Application Data{3FF660B5-E586-7A17-366C-2ED2759DA927}lpq.exe
-
Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data folder and deletes its own executable file.
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image003.png)
The Malware encrypts all personal documents and files it shows the following webpages:
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image004.png)
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image005.png)
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image006.png)
It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files. The malware has some guidelines for how to purchase Bitcoins:
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image007.png)
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image008.png)
Command and Control (C&C) Traffic
The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image009.png)
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image010.png)
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image011.png)
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
![](http://software.sonicwall.com/gav/Cerber.B_1_files/image012.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Cerber.B_1 (Trojan)