Cerber ransom payment doubles (Nov 23, 2016)


The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.

Infection Cycle:

The latest variant of this trojan uses the following icon:

The Trojan makes the following DNS requests:

  • vyohacxzoue32vvk.3sc3f8.bid
  • btc.blockr.io

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%README.hta (ransom information page)
  • %USERPROFILE%Local SettingsTempREADME.hta (ransom information page)

It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.

It displays the following information on the desktop background:

The links lead to a website located on tOR network:

The Trojan reports its infection to a remote C&C/key server:

It checks the status of the supplied bitcoin address that requires funding to verify payment:

Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cerber.HM (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.