{"id":92237,"date":"2023-12-13T18:36:59","date_gmt":"2023-12-13T13:06:59","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=92237"},"modified":"2023-12-13T18:36:59","modified_gmt":"2023-12-13T13:06:59","slug":"cerber-ransomware-exposed-a-comprehensive-analysis-of-advanced-tactics-encryption-and-evasion","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cerber-ransomware-exposed-a-comprehensive-analysis-of-advanced-tactics-encryption-and-evasion\/","title":{"rendered":"Cerber Ransomware Exposed: A Comprehensive Analysis of Advanced Tactics, Encryption, and Evasion"},"content":{"rendered":"

Cerber is a strain of ransomware that was first identified in early 2016. It is a type of malware that encrypts a victim’s files and demands a ransom f<\/span>or the decryption key needed to unlock the files. Cerber, like many other ransomware variants, typically targets individuals and organizations<\/span> by<\/span> encrypting their files and demanding a ransom payment<\/span>,<\/span> (<\/span>usually in cryptocurrencies like Bitcoin<\/span>)<\/span>,<\/span> for the decryption key.<\/span>\u00a0<\/span><\/p>\n

Technical Analysis:<\/span><\/b>\u00a0<\/span><\/p>\n

The Cerber ransomware’s main payload is a custom-packed sample, so the code is <\/span>initially unreadable<\/span>\u00a0at first<\/span>. After unpacking the sample, we can find <\/span>the <\/span>actual payload 376165CCD556CD74658AFEA9F6F428F9. <\/span>As shown in <\/span>Fig <\/span>1<\/span>.<\/span>\u00a0<\/span><\/p>\n

\"\"
Fig.1: Unpacking of Cerber<\/em><\/figcaption><\/figure>\n

When the payload is executed, <\/span><\/span>it checks for a specific mutex.<\/span><\/span><\/span> If<\/span><\/span><\/span> any of the<\/span><\/span>se<\/span><\/span><\/span> mutex<\/span><\/span>es<\/span><\/span><\/span> are found to be present, the malware will stop its execution. This validation mechanism<\/span><\/span>,<\/span><\/span><\/span> involving mutex strings<\/span><\/span>,<\/span><\/span><\/span> is built into the <\/span><\/span>ransomware<\/span><\/span> code to prevent it from re-infecting the same machine.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"
Fig.2: Creating Mutex<\/em><\/figcaption><\/figure>\n

Further<\/span>,<\/span> it decrypts<\/span> the data using CryptoAPI<\/span>,<\/span> which contains <\/span>the <\/span>following information<\/span>:<\/span>,<\/span>\u00a0<\/span><\/p>\n

    \n
  • Blocklisted <\/span>file<\/span>s,<\/span> extension<\/span>s<\/span> and folders<\/span>\u00a0<\/span><\/li>\n
  • Excluded country based on Language ID<\/span>\u00a0<\/span><\/li>\n
  • Targeted Extensions<\/span>\u00a0<\/span><\/li>\n
  • Base64 encrypted Public RSA key and Ransom Note in HTML format<\/span>\u00a0<\/span><\/li>\n
  • Ransom Note in TXT format<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
    \"\"
    Fig.3: Decrypted Data<\/em><\/figcaption><\/figure>\n

    The <\/span><\/span><\/span>Ransomware has<\/span><\/span><\/span>\u00a0decided to exclude several countries <\/span><\/span>from <\/span><\/span><\/span>the attack (namely, <\/span><\/span>Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, <\/span><\/span>and <\/span><\/span><\/span>Uzbekistan)<\/span><\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.4: Excluded Extensions, folders and country codes<\/em><\/figcaption><\/figure>\n

    Then it traverses the decrypted data and uses its value for further encryption process<\/span><\/span>es<\/span><\/span><\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.5: Traversing the Data<\/em><\/figcaption><\/figure>\n

    Evasion Technique:<\/span><\/b>\u00a0<\/span><\/p>\n

    Cerber exhibits advanced capabilities by <\/span>identifying <\/span>and <\/span>configuring Windows firewall rules to obstruct outbound traffic from the executable binaries of installed firewalls, antivirus, and anti<\/span>–<\/span>spyware products. This tactic aims to impede the communication and functionality of these security tools, potentially enhancing the <\/span>ransomware’s<\/span> ability to persist on the compromised system and evade detection. This sophisticated<\/span>\u00a0<\/span>maneuver <\/span>underscores the evolving nature of Cerber, posing a significant challenge for cybersecurity measures seeking to counteract its impact.<\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.6: Disabling AV Services<\/em><\/figcaption><\/figure>\n

    C2 connection:<\/span><\/b>\u00a0<\/span><\/p>\n

    Cerber ransomware establishes connections to port 6893 on IPs specified by CIDR in the configuration. The communication packet initiation involves a hash prefixed with the Machine GUID (MD5_KEY). The packet concludes with parameters such as PARTNER_ID, OS details, IS_X64 (indicating whether the system is 64-bit), IS_ADMIN (reflecting administrative privileges), COUNT_FILES (the count of files on the system), STOP_REASON (reason for stopping), and STATUS (status information). This communication protocol serves as a method for exchanging data with the specified IPs, illustrating the<\/span>\u00a0ransomware’s<\/span> sophisticated approach to interaction and control within the compromised system.<\/span>\u00a0<\/span><\/p>\n

    \u00a0<\/span>The communication packet starts with a hash consisting of the Machine GUID: {MD5_KEY} and ending with {PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

    \u00a0With Ip varying form ip”:[“93.107.12.0\/27″,”95.1.200.0\/27″,”87.98.176.0\/22”]<\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.7: C2 Connection<\/em><\/figcaption><\/figure>\n

    Encryption:<\/span><\/b>\u00a0<\/span><\/p>\n

    It drops two files containing the RSA key<\/span>,<\/span> which <\/span>is <\/span>further used for the Encryption process.<\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.8: Adding part of the Key in the Temp File<\/em><\/figcaption><\/figure>\n

     <\/p>\n

    \"\"
    Fig.9: Adding part of the Key in Temp File<\/em><\/figcaption><\/figure>\n
    \"\"
    Fig.10: Use of Crypto API<\/em><\/figcaption><\/figure>\n

    It implements <\/span>RSA and RC4 algorithms in its encryption routine and the use of CryptoAPI – <\/span>a<\/span> separate function that reads and <\/span>skips <\/span>the first 1800 bytes, encrypts the rest of the content<\/span>,<\/span> and <\/span>writes <\/span>back to <\/span>the <\/span>file<\/span>,<\/span> as <\/span>m<\/span>entioned in <\/span>F<\/span>ig. 12.<\/span>\u00a0<\/span><\/p>\n

    Following the encryption process, the ransomware appends a “.a769” extension and <\/span>renames <\/span>the file <\/span>with <\/span>a <\/span>randomly generated string with pattern [0-9a-zA-Z_-]{10}. The figure below illustrates the files that have undergone this encryption and changes in file names and <\/span>extensions.<\/span><\/p>\n

    \"\"
    Fig.11: Encrypted Files<\/em><\/figcaption><\/figure>\n
    \"\"
    Fig.12: Skipping 1800 bytes from the Header<\/em><\/figcaption><\/figure>\n

    Ransom notes:<\/span><\/b>\u00a0<\/span><\/p>\n

    It drops the ransom notes<\/span>\u00a0<\/span>in the folders <\/span>with the encrypted files, with <\/span>the <\/span>name “__R_E_A_D__T_H_I_S__.html” and TXT form. In this ransom note, the threat actors (TAs) instructs <\/span>the victims to contact them via their TOR website. Furthermore, the TAs issue a warning that if the victims fail to <\/span>contact within 30 days following the ransomware attack, the<\/span>y will<\/span>\u00a0<\/span>disclose the<\/span> victim<\/span>‘<\/span>s <\/span>confidential data on public news outlets and websites<\/span>.<\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.13: Dropped Ransom Note in TXT Format<\/em><\/figcaption><\/figure>\n
    \"\"
    Fig.14_Dropped Ransom Note in HTML File<\/em><\/figcaption><\/figure>\n
    \"\"
    Fig.15: Changed Desktop Wallpaper<\/em><\/figcaption><\/figure>\n

    Post Encryption:<\/span><\/b>\u00a0<\/span><\/p>\n

    Following infection, the ransomware employs the ShellExecuteA() API function with specific arguments to eliminate its own file from the compromised system. Through this action, the malware orchestrates the removal of its executable, leaving behind solely the encrypted files and the accompanying ransom note. This deliberate self-deletion mechanism indicates an attempt by the ransomware to conceal its presence, complicating post-infection analysis and removal efforts while ensuring the persistence of the encrypted files and the associated ransom demand<\/span>.<\/span>\u00a0<\/span><\/p>\n

    \"\"
    Fig.16: Self-delete using Shell ExecuteA function<\/em><\/figcaption><\/figure>\n

    \"\"<\/p>\n

    Precaution of Cerber Ransomware\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

    Cerber Ransomware is a type of malware that encrypts a victim’s files and demands a ransom for the decryption key. To protect yourself and your computer systems from Cerber Ransomware,<\/span>\u00a0<\/span>or <\/span>ransomware in general, it is <\/span>important<\/span>\u00a0<\/span>to take various<\/span>\u00a0<\/span>precautions. Here are <\/span>a few <\/span>some <\/span>steps <\/span>measures <\/span>you can take to minimize your risk:<\/span>\u00a0<\/span><\/p>\n

    Regularly Backup Your Data:<\/span><\/b>\u00a0<\/span><\/p>\n

    Back up your important data regularly to an external device or a cloud service. This way, if your files are encrypted, you won’t have to pay a ransom to recover them.<\/span>\u00a0<\/span><\/p>\n

    Keep Your Software Updated:<\/span><\/b>\u00a0<\/span><\/p>\n

    Ensure that your operating system and all software, including your antivirus program, are up to date. Ransomware often takes advantage of known vulnerabilities in outdated software.<\/span>\u00a0<\/span><\/p>\n

    Use Strong, Unique Passwords:<\/span><\/b>\u00a0<\/span><\/p>\n

    Use strong and complex passwords for all your accounts and devices. Consider using a reputable password manager to generate and store strong passwords.<\/span>\u00a0<\/span><\/p>\n

    Enable Two-Factor Authentication (2FA):<\/span><\/b>\u00a0<\/span><\/p>\n

    Enable 2FA whenever possible for your online accounts. This provides an extra layer of security, making it more difficult for attackers to access your accounts.<\/span>\u00a0<\/span><\/p>\n

    Exercise Caution with Email:<\/span><\/b>\u00a0<\/span><\/p>\n

    Be wary of email attachments and links, especially <\/span>if they come <\/span>from unknown or unexpected sources. Ransomware can be delivered through phishing emails.<\/span>\u00a0<\/span><\/p>\n

    Install a Reliable Antivirus Program:<\/span><\/b>\u00a0<\/span><\/p>\n

    Install and regularly update a reputable antivirus or anti-malware software. Make sure it includes real-time scanning and ransomware protection features.<\/span>\u00a0<\/span><\/p>\n

    Use a Firewall:<\/span><\/b>\u00a0<\/span><\/p>\n

    A good firewall can help block incoming threats and reduce the likelihood of a malware infection.<\/span>\u00a0<\/span><\/p>\n

    Regularly Update and Patch:<\/span><\/b>\u00a0<\/span><\/p>\n

    Keep your system and software updated. Many ransomware attacks exploit vulnerabilities in outdated software, so patching these vulnerabilities is essential.<\/span>\u00a0<\/span><\/p>\n

    Network Security:<\/span><\/b>\u00a0<\/span><\/p>\n

    Implement network security measures, such as intrusion detection systems<\/span>,<\/span> and regularly audit network traffic for unusual activity.<\/span>\u00a0<\/span><\/p>\n

    Monitor for Suspicious Activity:<\/span><\/b>\u00a0<\/span><\/p>\n

    Keep an eye out for any unusual or suspicious activity on your computer or network, as early detection can help stop an infection from spreading.<\/span>\u00a0<\/span><\/p>\n

    Regularly Test Backups:<\/span><\/b>\u00a0<\/span><\/p>\n

    Periodically test your backups to ensure that they can be successfully restored.<\/span>\u00a0<\/span><\/p>\n

    Quick Heal Protection:<\/span><\/b>\u00a0<\/span><\/p>\n

    Ransom.Cerber.S443347<\/span><\/b>\u00a0<\/span><\/p>\n

    Ransom.Cerber.S126609<\/span><\/b>\u00a0<\/span><\/p>\n

    Ransom.Cerber.S22591<\/span><\/b>\u00a0<\/span><\/p>\n

    Ransom.Cerber.S1538045<\/span><\/b>\u00a0<\/span><\/p>\n

    Conclusion:<\/span><\/b>\u00a0<\/span><\/p>\n

    Cerber ransomware, <\/span>first <\/span>identified in 2016, represents a highly sophisticated threat with advanced evasion techniques. It<\/span> can <\/span>configure Windows firewall rules, <\/span>exclud<\/span>e<\/span> specific countries from attacks, and employ persistence on compromised systems.<\/span>\u00a0<\/span>It combines <\/span>RSA<\/span>,<\/span> and RC4 algorithms in the encryption process<\/span>,<\/span> and uses the self-deletion mechanism post-infection.<\/span>\u00a0<\/span><\/p>\n

    \u00a0MITRE ATTACK TTPs:<\/strong><\/p>\n

    \"\"<\/p>\n

    IOCs:<\/span><\/b>\u00a0<\/span>\u00a0<\/span><\/p>\n

    FE1BC60A95B2C2D77CD5D232296A7FA4<\/span>\u00a0<\/span><\/p>\n

    376165CCD556CD74658AFEA9F6F428F9<\/span>\u00a0<\/span><\/p>\n

    Authors: <\/span><\/b><\/p>\n

    Soumen Burma<\/span><\/b>\u00a0<\/span><\/b><\/p>\n

    Vaibhav Krushna Billade<\/span><\/b>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    Cerber is a strain of ransomware that was first identified in early 2016. It is a type of malware that encrypts a victim’s files and demands a ransom for the decryption key needed to unlock the files. Cerber, like many other ransomware variants, typically targets individuals and organizations by encrypting their files and demanding a […]<\/p>\n","protected":false},"author":75,"featured_media":92239,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1660,1653,164,289,1739,1671,133,1495,910,1],"tags":[1956,431,1428,372,1249],"class_list":["post-92237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-advisory","category-antivirus","category-cyber-crime","category-cyber-safety","category-cybersecurity","category-encryption","category-hacker","category-nransomware","category-ransomware","category-uncategorized","tag-quickheal-ransomware-cybersecurity-hacking-ransomwareprevention-threatintelligence","tag-android","tag-cerber-ransomware","tag-digital-safety","tag-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92237"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/75"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=92237"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92237\/revisions"}],"predecessor-version":[{"id":92265,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92237\/revisions\/92265"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/92239"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=92237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=92237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=92237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}