Cerber ransom payment doubles (Nov 23, 2016)
The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.
Infection Cycle:
The latest variant of this trojan uses the following icon:
The Trojan makes the following DNS requests:
vyohacxzoue32vvk.3sc3f8.bidbtc.blockr.io
The Trojan adds the following files to the filesystem:
- %SYSTEMROOT%README.hta (ransom information page)
- %USERPROFILE%Local SettingsTempREADME.hta (ransom information page)
It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.
It displays the following information on the desktop background:
The links lead to a website located on tOR network:
The Trojan reports its infection to a remote C&C/key server:
It checks the status of the supplied bitcoin address that requires funding to verify payment:
Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Cerber.HM (Trojan)
