Cerber ransomware is offered as a service to other hackers. The creators of the malware have created a user portal for it. This enables others to sign up as an affiliate and launch a ransomware attack without copying over the code and hosting it.
The Cerber strategy is called Ransomware-as-a-Service (RaaS). It relieves associate hackers from hosting the ransomware distributor, so they don’t worry about covering over connection records. In addition, the Cerber hackers take a 40 percent cut of the ransom that the associate gains by using the system.
There are many benefits for the associate when using a RaaS system, but why wouldn’t the Cerber group launch attacks with their software themselves and keep all of the ransom? The creators of Cerber decided that they didn’t want all of the workloads of seeking out marks and the trouble of trying to get access credentials.
By making their ransomware available to others, they can reap the rewards of the efforts of many other hard-working hackers. They remove the risk of those associates screwing them out of their cut by not allowing the code to leave their servers. The controllers of Cerber can log all of its activity and choose to withhold the decryption key if the associates don’t pay up.
About Cerber ransomware
Cerber ransomware first appeared in March 2016. This is quite a long time ago and makes it one of the oldest ransomware systems around. Little is known about the owners of Cerber – none of them have ever been arrested or even identified. However, the RaaS is advertised in Russian on Russian Dark Web forums, so it is reasonable to assume that the team behind Cerber is based in Russia.
Like a lot of Russian malware, Cerber won’t launch if it lands on a target in Russia or any of the former Soviet Union countries that didn’t join the EU – Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. This is probably not out of nationalism but because the Russian authorities won’t arrest hackers as long as they don’t launch attacks within the country or its allied nations.
Cerber was very active in 2016 and 2017 and then seemed to disappear. However, you shouldn’t relax just yet because it came back again in January 2020. Cerber has been through many variants, and some earlier versions can be cracked with decryptors available for free. However, the latest version doesn’t have a simple solution.
The ransom demand for Cerber is relatively low compared to many ransomware systems. However, it is not very well organized given that so many different hackers launch Cerber attacks. This reduces the likelihood that the decryptor will be delivered to those who pay the ransom.
How does a Cerber attack start?
Cerber platform affiliates have options over how they get access to target systems. The split in specialty between the attack software and the controlling hacker means that the affiliate program is suitable for hackers with specialist skills in phishing or profiling. It is also ideal for those who are prepared to pay for lists of emails.
The main entry point for the Cerber ransomware is via an infected attachment to a phishing email. Other methods include a download disguised as a helpful program, malware disguised as media propagated through torrent systems, or direct manual transfers through stolen credentials.
Some hackers using the Cerber RaaS are very skilled con artists and will approach targets through social media and charm credentials. This is the type of operation that the creators of Cerber need but do not have the interest or time to implement themselves. This is why they are willing to make their attack software available to others.
What happens in a Cerber ransomware attack?
One good attribute of Cerber is that its attack implements as soon as the dropper has been downloaded onto a target computer. This means that it doesn’t have a stealth phase that spreads it around a network. There aren’t many attempts at lateral movement. The primary victim of an attack is the system onto which the malware is installed. So, the damage of Cerber can be quickly contained by identifying the presence of the software soon.
Cerber will encrypt files on the host computer and any network drives to which that computer is connected and shared drives. The executable for the encryption is saved on the Local App Data or App Data directory with a randomly selected name taken from the real applications installed on the device.
The Cerber ransomware will encrypt all working files, such as documents, text files, audio, video, and image files. It also encrypts database storage files. It doesn’t encrypt executables, so it will still be possible to use the computer after the attack. As Each file is encrypted, its name is changed by the addition of an extra extension. The exact extension use by Cerber ransomware has changed over time with the development of new versions. After using .cerber, .cerber2, and .cerber3, the developers settled on a string of four random characters, such as .r4t5 or .dx56.
An AES cipher encrypts files with a 256-bit key. This key is generated on the victim’s computer and protected by RSA encryption with a 2048-bit key. AES encryption is an asymmetric cipher – the encryption and decryption keys are different. You cannot derive the decryption key if you know the encryption key, so it is unnecessary to keep the encryption key secret. The encryption key is called the public key, and the decryption key is the private key.
The Cerber ransom
After completing the file encryption process, the Cerber ransomware leaves several ransom notes. One of these is in HTA and is activated to display on the screen. There is also an audio file available, which speaks to the ransom demand.
The ransom, in 2016, was 1 Bitcoin. The victim had seven days to pay, and then the ransom doubled. The ransom note instructs the victim to install a Tor browser and gives the address of a generated page specific to that attack. The victim is then able to pay through that page. A successful transaction results in the victim being sent the private key for the RSA encryption. This unlocks the AES key, which can be used to decrypt all files.
Preventing Cerber ransomware attacks
The prime targets of Cerber ransomware are endpoints – specifically desktops and laptops rather than servers. This means that your primary defenses should focus on user education and endpoint protection. The malware gets onto devices because users are tricked into installing it. Thus, warning users about infected attachments or malicious links is a worthwhile exercise.
If your business is required to comply with a data privacy standard, the opportunities for data theft that are built into a Cerber attack and the ransomware means that this malware could seriously damage your business’s economic viability. Thus, if you need to comply with PCI DSS, HIPAA, or GDPR, you should also invest in sensitive data protection systems.
Cerber will delete all shadow copies of files – these are the autosave versions. However, it doesn’t travel across a network and infect other devices. So, this means that your backup stores are relatively safe. Another systemic weakness of Cerber is that data disclosure is not part of its master strategy. This means that as long as you run an intelligent backup system, you can afford to ignore the ransom demands and just restore encrypted files from your saved copies.
Be aware that Cerber isn’t the only ransomware that you need to plan protection against. Other systems will try to get onto your servers. In addition, some ransomware will delay activation while replication modules copy the encryption software across the network. Therefore, in order to fully protect backups, you need to combine malware scanning with each backup cycle.
Here are four secure systems that you should consider installing:
CrowdStrike Falcon Insight is an endpoint detection and response system (EDR). It focuses protection on endpoints, which is the perfect strategy for defense against Cerber ransomware.
Rather than just being an antivirus system, this package adds enterprise-wide defense coordination to the device-resident protection software. This system protection is provided by a cloud-based service that collects activity reports from each endpoint agent.
The endpoint defense software is available as a standalone package, called CrowdStrike Falcon Prevent. It is the cloud service that transforms many installations of Falcon prevent into Falcon Insight.
The cloud service works as a SIEM, searching through log data uploaded from the endpoints for indicators of compromise. This is a secondary defense because the endpoint agents are more than just data collectors; they have a complete defense system built into them. This double protection strategy enables CrowdStrike Falcon to offer complete system protection, and it can also cope with zero-day attacks.
You can get a 15-day free trial of Falcon Prevent.
ManageEngine DataSecurity Plus is designed to protect sensitive data. This is essential for businesses that need to comply with data protection standards, such as GDPR, HIPAA, and PCI DSS. In addition, the service includes a file integrity monitor that will spot and block file encryption as soon as it starts. So, his is an excellent service to protect against ransomware, including Cerber.
The DataSecurity Plus system includes a data discovery service and a sensitive data classifier. It focuses defenses on sensitive data stores and logs all activities to provide an audit trail for compliance.
This is an on-premises package that installs on Windows Server. DataSecurity Plus is available for a 30-day free trial.
BitDefender GravityZone covers all aspects of malware detection and protection and also includes a backup service.
The GravityZone service watches over all parts of your system, including endpoints, which are particularly vulnerable to Cerber ransomware attacks. The bundle of security services also includes a vulnerability scanner and a linked patch manager. These modules ensure that the ports, operating systems, and software packages are free from the exploits that will help malware get onto your system.
No matter how tight your security is, you can do little to prevent users from being duped into performing actions on behalf of con artists. So, you also need to make sure that you sweep for viruses at every point of your system. This is what GravityZone does. It protects all possible entry points, such as gateways and endpoints. Crucially, it also scans files for infection before uploading them to backup servers.
Other essential elements of this security bundle are file integrity monitoring and automated responses. The software for BitDefender GravityZone runs as a virtual appliance, and it is available for a one-month free trial.
Acronis Cyber Protect includes a backup system, a vulnerability scanner, and a threat-protection system.
The backup service covers physical and virtual systems, and it can perform complete backups of servers down to the bare metal. It will manage the backup of Windows Server and Linux. Backups can be made to other devices on-premises, to cloud storage systems, or both. You can choose your cloud platform to host the backup store, and Acronis offers a cloud backup storage service as an optional extra.
The vulnerability manager identifies software weaknesses and can patch out of date OSs and software. However, you also need full virus and intrusion defenses, so the threat detection system in the Acronis bundle is essential.
This is a cloud-based system that requires an agent program to be installed on your site. Acronis offers Cyber Protect a 30-day free trial.