What Is Cerber Ransomware?

Cerber ransomware was discovered in March 2016. As a ransomware-as-a-service (RaaS), it can be deployed by non-technical attackers. Any money made from extorting ransomware victims is split between the attacker and the ransomware developer. Ransomware encrypts files with cryptographically-secure ciphers, forcing a victim to pay a ransom to get their files back unencrypted.

The initial Cerber ransomware attack typically starts with a phishing email. The email contains a zipped .DOT file. The .DOT file is password protected and contains a malicious macro used to deploy the malware onto the local machine. Another version of Cerber uses a Windows Script File (WSF) attached to a phishing email to install the malware onto the local device.

In the first .DOT version of Cerber, the .DOT file’s password is included in the phishing email. A .DOT file is a Microsoft Word template that can contain macros. When the user opens the file and enters the password, the file opens with a message to click the “Enable Content” warning message at the top of the window. By clicking this button, the user enables the malicious macro to run on their local device.

With the WSF version of Cerber, the user is encouraged to open the script file. By opening the file, the user executes the script that then downloads and installs the ransomware malware onto the local device. The phishing email also includes an “unsubscribe” link pointing to the download location for the zip file containing the WSF script.

After the user installs the malware, Cerber first scans the country location for the local device. The ransomware automatically ceases activity and terminates if the user’s device country is any of the following: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan. If the device country is not any of these countries, Cerber will install itself but does not encrypt files until the system reboots.

The initial Cerber execution runs after the user has been idle for a time and executes the Windows screensaver. It also displays false system alerts to compel the user to reboot their system. When the system reboots, Cerber forces it to first boot into Safe Mode with Networking enabled. It then forces the device to reboot again into the standard Windows service.

With the device rebooted into standard Windows, Cerber then starts the encryption process. It will encrypt 442 different file types and search for unmapped shared drives. Cerber uses cryptographically secure AES-256 (symmetric) and RSA (asymmetric) encryption ciphers. Note that newer versions of Cerber also add a botnet feature to the process, making the local device a participant in distributed denial-of-service (DDoS) attacks.

After encryption, Cerber stores three files on the local device named “DECRYPT MY FILES” to provide instructions for payment. One file includes audio to explain that the user’s files were encrypted, and payment must be made to return them. The user is given instructions to download “Tor” and use it to open the attacker’s onion site where payment can be made.

The attacker determines a ransom amount that is not too expensive to ensure they can maximise their success. The initial Cerber ransom was about $500, and payment was made in Bitcoin.

As with most ransomware, Cerber ransomware starts with a phishing email. For example, a phishing email may notify users that an invoice is attached, and they must open the file to find instructions for payment. If a WSF script is attached, it installs the Cerber ransomware. If a Microsoft .DOT file is attached, the user must first enable macros for the ransomware to download and install.

It’s also possible to install Cerber ransomware after downloading malware on a malicious website, malvertising (malicious advertisements that point to malware downloads) or executing malicious packages containing various malware. However, the primary attack vector is phishing. Since the malware is distributed as ransomware-as-a-service, the sender address is variable.

Like other ransomware, Cerber informs the victim that their files have been encrypted using alerts and notes. Cerber displays an alert on the victim’s computer as the screensaver to get their attention and then uses stored text files to provide instructions. Some versions of Cerber store an HTML file named __$$RECOVERY_README$$__.html on the drive or use a text file called “DECRYPT MY FILES” to alert victims.

Aside from wallpaper and file alerts, another sign that your device is affected is the “.locked” file extension. Instead of an Excel spreadsheet with the “.xlsx” file extension, your spreadsheet files will have the “.locked” file extension. Cerber encrypts over 400 file types, so all critical files, including personal images, will be encrypted.

Removing the Cerber ransomware files is possible, but it’s not possible to decrypt your files. Cerber uses cryptographically secure AES-256 and RSA algorithms, so the only way to decrypt files is with the keys. Since there’s no guarantee that keys will be provided after payment, experts discourage paying the ransom. However, some victims pay the ransom out of desperation.

Even if files are already encrypted, immediately removing Cerber is important to prevent any further file encryption. To remove Cerber from your system:

1. Reboot your computer and choose to start Windows in Safe Mode with Networking. This mode limits Windows functionality but still enables access to the internet.
2. Open your antivirus software and let it scan your computer. Any effective antivirus application will detect and remove Cerber from the system.

It’s impossible to decrypt files after Cerber ransomware encrypts them. The only way to decrypt data after it’s been encrypted with cryptographically-secure algorithms is by using the key. Cerber ransomware authors offer the key in exchange for the ransom payment, but experts warn that paying the ransom does not guarantee you’ll receive the key. Some victims feel that they have no choice but to pay the ransom.

The only solution to remediate a ransomware attack is to recover backup files. Individuals or organisations must keep backups of their files in a secure location. Some ransomwares (including Cerber) will encrypt backup files. To avoid encrypted backup files, use cloud storage or a removable drive inaccessible to standard users.

Because Cerber starts with a phishing email, employees and individuals must understand the signs of a malicious email. However, the primary mode in initiating the installation of Cerber ransomware is a file attachment in the phishing email. The file attachment can be a WSF script file or a Microsoft Word document with a malicious macro. Both files are in a zip archive to avoid detection from email security filters.

If the initial attack uses a Microsoft Word document, the targeted user must allow the malicious macro to run. Current versions of Microsoft Office turn off automatic execution of macros unless the user specifically turns off this feature. The security feature should not be disabled to avoid being a victim of malware installation from an Office document.

Email security solutions helps block phishing emails, but sometimes a sophisticated attack bypasses common security controls. Users should avoid opening attachments from senders they don’t know, and they should never open or execute scripts and binaries. Avoid running macros unless the document is from a verified, known sender.

Users should not click links in suspicious email messages. In some phishing campaigns, an attacker uses hacked email accounts and sends malicious messages to the hacked account’s contact list. A good way to do this is by ensuring your organisation has an effective security awareness training programme.

Ensure antivirus software runs on the device when you click links, even if it’s from a known sender. Avoid clicking links in suspicious emails or ones from unknown sources.

Always keep frequent backups of your files in case of a ransomware attack. Should any safeguards fail, backups are the only way to recover from ransomware. These backups should be stored in a safe location where ransomware cannot scan and access mapped or unmapped drives. Cloud storage, for example, is a secure backup location.

Malware requires a coding author, so most attacks require programming from someone who understands how to build ransomware. However, Cerber is sold as ransomware-as-a-service (RaaS), which provides all aspects of phishing, malware installation, and payments to people who have no coding ability. RaaS enables anyone to be an attacker, making Cerber more popular than other malware.

Cerber authors have added various additional attacks to the initial ransomware. The initial malware encrypted files like any other ransomware product, but Cerber now has a botnet feature allowing RaaS customers to use it to perform DDoS attacks. An effective DDoS requires several infected devices, and RaaS provides botnet owners a convenient way to extort money from victims.

Ransomware incidents rose in 2021 and continue to be an increasingly popular method of attack. Cerber was among the top three ransomware variants in 2021, along with Ryuk and SamSam. Researchers saw 52.5 million Cerber attacks in 2021, only topped by Ryuk’s 93.9 million instances. However, researchers warn that Cerber is quickly becoming more popular than Ryuk in 2022.

While ransomware is a global attack, Cerber does not trigger for specific countries. Even if your country is on the excluded list, you should still take precautions to avoid Cerber and other ransomwares. Recent versions of Cerber focused on Microsoft Office users, as it was built to bypass Office 365 security.

The U.S. and Europe are the two most-targeted regions. Most ransomware authors target specific regions and build ransomware to bypass malware detection and security. Cerber mainly targets individuals, evidenced by the smaller ransom amounts. Ransomware targeting organisations may ask for several thousand and even millions in ransom payments.

Without email security, you risk becoming a victim of ransomware either as an individual or an organisation. If your organisation has an at-home workforce, any user with remote access to data puts your organisation at risk of an attack due to using weaker, non-enterprise level security on a home computer.

To stop attacks, enterprise organisations can use Targeted Attack Protection (TAP) from Proofpoint. It’s an effective way to defend against phishing, malicious emails, URLs that point to attacker-controlled web applications, attachments, and other cloud-based threats. You can also see our Ransomware Hub to learn more about Cerber and other sophisticated security threats.