Malware News: Cerber – Ransomware that Gloats

Malware News: Cerber – Ransomware that Gloats

Last week brought us a new ransomware flavor, Cerber. Perhaps its most novel aspect is the fact that, unlike other attacks that only leave their ransom notes via text files and popup windows, Cerber also leaves a sound file and a VBscript file that lets it gloat out loud using your computer’s speakers.

The good news is that our team downloaded a copy and tested it against Lastline Enterprise in multiple deployment configurations: hosted, on-premise without inter-customer malware data sharing and the anonymous VPN option, and with those options enabled. (Thanks to Director of Sales Engineering Dan Mathews for the effort.)

 

Based on the list of countries for which it searches in order to decide whether to run, it’s likely that the tool originates in one of the former Soviet republics. It’s also a good example (unfortunately) of how malware is becoming more available to the masses, as it seems to be distributed on a closed Russian underground forum, and offered as Ransomware-as-a-Service (RaaS), where attackers can license the malware and pay a commission on their ransoms to the developers. And it is highly customizable: using a JSON configuration file, attackers can choose the file types they wish to encrypt, whether to encrypt only local files or those on network shares (even if the shares are not mounted), and more.

You can find a pretty detailed analysis of how it works here and here.

Note that, in each case, Lastline’s Deep Content Inspection™ scores the malware as highly malicious. There are small differences in the detected characteristics and behaviors, but the deployment method selected does not interfere with the ability to detect and protect from this new ransomware package.

Here are the scores reported:

  • Lastline Hosted – 95/100
  • Lastline On-Premise with no data sharing or AnonVPN – 93/100
  • Lastline On-Premise with data sharing and AnonVPN – 97/100

These scores represent the FIRST time that Cerber was seen by any of these deployments, with no previous signature-writer time spent identifying it manually. This is exactly why zero-day protection is needed, and why Lastline’s ability to detect malicious behaviors and bypass evasions is key.

The actual analysis summaries follow.

Lastline Hosted:

Lastline Hosted File Summary:

hosted1.png

Lastline Hosted Detailed Behaviors Observed:

hosted2.png

Lastline On-Prem No Data Sharing or AnonVPN

Lastline On-Prem No Data Sharing or AnonVPN – File Summary:

premno1.png

Lastline On-Prem No Data Sharing or AnonVPN – Detailed Behaviors Observed:

premno2.png

Lastline On-Prem with Data Sharing and AnonVPN

Lastline On-Prem with Data Sharing and AnonVPN – File Summary:

premy1.png

Lastline On-Prem with Data Sharing and AnonVPN – Detailed Behaviors Observed:

premy2.png

 

  •