Cerber Ransomware Is Not on Vacation This Summer

The well known Cerber ransomware continues to be active this summer. The size of the cryptolocker varies between 244 to 292 Kbytes, with the new builds spreading through spear phishing email campaigns targeting enterprises. The latest Cerber ransomware easily bypasses traditional defences. The analysed Cerber sample (MD5: cfd2d6f189b04d42618007fc9c540352) was only detected as a suspicious malicious object by nine out of 64 antiviruses on the first submission to Virustotal. The low detection rate can be explained by the fact that the cryptolocker is using a polymorphic encryptor and API call obfuscation to protect its copies from being detected by antiviruses.

Static analysis

The PE EXE file has a fake timestamp, Import Address Table and even Export Address Table.  

Export Address Table  

Hiding the payload

The latest builds of the Cerber’s code are even more protected with API call obfuscation. To hide the actual imports, Cerber loads them in runtime:  

The actual Import Address Table looks like this:  

Decrypting the configuration data

The configuration JSON data is encrypted and stored as RCDATA in the resource section:  

To decrypt the configuration data, Cerber goes through the following steps:

1. Imports the hard coded RC4 128-bit key from the BLOB data which is 28 bytes in size.  

2. Wipes the 128-bit encryption key from the memory with zeros after decryption:  

3. Calls the CryptEncrypt() function to decrypt the JSON config which is 107 171 bytes in size:  

Configuration parameters

The Cerber configuration contains the following information:

• Blacklist File extensions for the files not to be encrypted: bat, cmd, com, cpl, dll, exe, hta, msc, msi, msp, pif, scf, scr, sys Files:  Bootsect.bak Iconcache.db Ntuser.dat thumbs.db Folders that the cryptolocker should avoid when encrypting files: ":\\$getcurrent\\", ":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\$windows.~ws\\", ":\\boot\\", ":\\documents and settings\\all users\\", ":\\documents and settings\\default user\\", ":\\documents and settings\\localservice\\", ":\\documents and settings\\networkservice\\", ":\\intel\\", ":\\msocache\\", ":\\perflogs\\", ":\\program files (x86)\\", ":\\program files\\", ":\\programdata\\", ":\\recovery\\", ":\\recycled\\", ":\\recycler\\", ":\\system volume information\\", ":\\temp\\", ":\\windows.old\\", ":\\windows10upgrade\\", ":\\windows\\", ":\\winnt\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\", "\\local settings\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\" Languages that make OS protected from the cryptolocker: 1049: Russian, 1058: Ukrainian 1059: Belarusian, 1064: Tajik, 1067: Armenian, 1068: Azeri (Latin), 1079: Georgian, 1087: Kazakh, 1088: Kyrgyz (Cyrillic), 1090: Turkmen, 1091:  Uzbek (Latin), 1092 : Tatar (Russia), 2072: Romanian (Moldova),  2073: Russian (Moldova),  2092: Azeri (Cyrillic),  2115: Uzbek (Cyrillic).
• Whitelist Folders that should be encrypted: "\\bitcoin\\", "\\excel\\", "\\microsoft sql server\\", "\\microsoft\\excel\\", "\\microsoft\\microsoft sql server\\", "\\microsoft\\office\\", "\\microsoft\\onenote\\", "\\microsoft\\outlook\\", "\\microsoft\\powerpoint\\", "\\microsoft\\word\\", "\\office\\", "\\onenote\\", "\\outlook\\", "\\powerpoint\\", "\\steam\\", "\\the bat!\\", "\\thunderbird\\", "\\word\\"

Global RSA 2048-bit public key:

Traces on the hard disk

Once being unpacked, Cerber stores its temporary data and encryption keys in a subfolder named using the first part of the Machine GUID, inside the Temp folder. For example:

%Temp%\c36ab9c2

Encryption

Cerber uses RC4 and RSA algorithms for encryption. Every file is encrypted using the RC4 algorithm with a unique 128-bit key.

The file’s RC4 key is encrypted using a RSA-880 public session key generated on the victim’s machine. The prime numbers (p and q) used to calculate the RSA-880 session public key are encrypted using the RSA-2048 master public key delivered in the configuration data embedded in the cryptolocker’s file.

The prime numbers can be decrypted with the RSA-2048 master key by the attacker to restore the RSA-880 session private key through calculating a private key exponent (d) using the extended Euclidean algorithm.

The new file contains the encrypted RC4 key used to encrypt this file as well as the encrypted original file’s data, original filename, and checksum stored in a specific order. Cerber also adds a 60-byte block of randomly generated data into the middle of the file to complicate the encrypted file structure even more.

Key encryption

First, the RSA-2048 public key from the configuration file is decoded from Base64 to PEM format and then to PUBLICKEYBLOB:  

Once decoded, the CERT_PUBLIC_KEY_INFO structure contains a public key and its algorithm (OID_RSA_RSA "1.2.840.113549.1.1.1" - RSA is used to both encrypt and sign the content):  

The RSA-2048 public key is to be imported as PUBLICKEYBLOB.  

Then, Cerber creates another RSA public key but with an 880-bit modulus length and saves it to the temporary file:  

The RSA-2048 public key is used to encrypt an 114-byte block of data that consist of two prime numbers, each 55 bytes, generated for a RSA-880 public key that is used to encrypt the RC4 key and the 4-byte header that specifies the size of each block ‘37003700’:  

The encrypted block is stored in a tmp file in the %TEMP% folder and added to the end of every encrypted file:  

File encryption

Cerber encrypts a file using the RC4 algorithm with a 128-bit key generated for every file that will be encrypted.

After encryption, the file will contain the following data blocks:

The file with the encrypted data is renamed as:

Ransom notes

The ransom notes are stored in the folders together witht the encrypted files and are named in the following format:

At the end of the encryption, the cryptolocker sets the familiar Cerber-style wallpaper:  

The wallpaper bitmap is generated based on the parameters mentioned in the configuration data:

Communication

Cerber Connects to 6893 port on the IPs specified by CIDR in the config:

The communication packet starts with a hash consisting of the Machine GUID: {MD5_KEY} and ending with {PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}.

For example, Cerber tries to initiate a connection to the remote server from the range specified in the configuration data by sending a victim’s machine ID:  

Decryptor

The Decryption Service is available through Tor at http://xpcx6erilkjced3j.onion/<MACHINE_ID>. For example: http://xpcx6erilkjced3j.onion/AA8A-60D2-7EC2-0446-A314  

It requires solving the CAPTCHA  

It requires a payment of 0.045 Bitcoins in five days, otherwise the price will be doubled.  

Payment

The Bitcoin address used in the attack has not received any transaction yet.

Conclusion

• Cerber is spread through spear phishing email campaigns targeting enterprises.
• Cerber uses polymorphic encryption and API calls obfuscation to bypass antivirus protection.
• As in previous versions, it uses encrypted configuration data stored in a JSON format.
• It uses the encryption scheme of master RSA-2048 key -> session RSA-880 -> RC4-128.
• It is not possible to decrypt files without knowing the master private RSA-2048 key.
• Cerber tries to connect  to C&C using the IPs specified in the configuration data in order to send the encryption statistics.

The new version of Acronis Active Protection, which is part of Acronis True Image 2018 Beta, detects Cerber ransomware and instantly restores the affected files.

Acronis Active Protection constantly observes patterns in how data files are being changed on a system. One set of behaviors may be typical and expected. Another set of behaviors may signal a suspect process taking hostile action against files. The Acronis approach looks at these actions and compares them to with malicious behavior patterns. This approach is exceptionally powerful in identifying ransomware attacks, even from ransomware variants that are as-yet unreported.

Read More:

• Undetected PowerShell Ransomware Easily Blocked by Acronis Active Protection
• NioGuard Security Lab: Are You Protected From Next Generation Ransomware Attacks?
• Osiris Ransomware: New Addition to the Locky Family