Cerber Version 6 Shows How Far the Ransomware Has Come
A reflection of how far Cerber has come in the threat landscape—and how far it’ll go—is Cerber Version 6. The ransomware’s latest version sports multipart arrival vectors, refashioned file encryption routines, and defense mechanisms
A little over a year after its first variants were found in the wild, Cerber (Detected by Trend Micro as RANSOM_CERBER family) now has the reputation for being the most prolific family of ransomware in the threat landscape. Since it first emerged in Russian underground marketplaces in March, 2016, Cerber has since spawned several versions whose structure, techniques, and capabilities were regularly updated by its developers—sometimes a day apart, in the case of Cerber 4.1.5. It has become so successful that the ransomware family has reportedly eclipsed other families like Locky (RANSOM_LOCKY).
Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every ransom paid by the victim. Coupled with persistence, Cerber turned into a cybercriminal goldmine that reportedly earned its developers $200,000 in commissions in a month alone last year.
Being lucrative and customizable for affiliates, it’s no wonder that Cerber spawned various iterations. Our coverage of unique Cerber samples—based on feedback from Smart Protection Network™—shows enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries.
Figure 1: Top countries affected by Cerber, with U.S. the most heavily impacted
We’ve also seen how the latest versions of Cerber employed a number of methods to avoid traditional security solutions. Since its emergence in 2016, Cerber's evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game.
Here is a summary of Cerber’s evolution so far:
Cerber v1, v2 and v3 | Cerber v4 | Cerber v5 | Cerber SFX | Cerber v6 | |
File Type | EXE | EXE | EXE | SFX (Loader) VBS, DLL | EXE |
Exceptions (Cerber doesn't execute if it detects certain components in the system) | Language in v1 and v3* Language and antivirus (AV) for v2* | Language* | Language* | AV, VM, Sandbox (Loader*), and Language* | Language* |
Anti-AV Routine | None | None | None | None | EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules* |
Anti-sandbox | None | None | None | VM and Sandbox (Loader*) | VM and Sandbox (Loader*) |
Backup Deletion | Yes (vsadmin, WMIC, BCDEdit)* | Yes (WMIC)* | Yes (WMIC)* Removed in v5.02 | Varies (some samples have backup deletion capabilities) | Varies (some samples have backup deletion capabilities) |
Exclusion List (directories and file types Cerber doesn't encrypt) | Folder and file* | Folder and file* | Folder and file*; and AV, Antispyware, and Firewall directories | Folder and file*; and AV, Antispyware, and Firewall directories | Folder and file* |
Figure 2: All versions of Cerber are known to target personal and business-related (i.e. database) files; asterisks (*) indicate they are configurable and can be customized by the affiliate/buyer
A reflection of how far Cerber has come in the threat landscape—and how far it’ll go—is Cerber Version 6, the ransomware’s latest version we’ve uncovered and monitored since early April this year. It sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.
Cerber’s Evolution in Spam Emails
All versions of Cerber are known for using spam emails as one of its arrival vectors. In Version 6, the socially engineered spam emails we’ve seen contain a zipped attachment with a malicious JavaScript (JS) file. The various JS files we analyzed have a three-pronged approach: directly download and execute its payload, create a scheduled task to run Cerber after two minutes, or run an embedded PowerShell script.
Figure 3: Infection chain of Cerber Version 6
Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script—the one responsible for downloading the ransomware and executing it in the system.
Figure 4: Sample Cerber 6-carrying spam email posing as a public postal service agency
Cerber’s attack chains were fairly forthright back then. In May 2016, Cerber was distributed as a Windows Script File containing an obfuscated, Cerber-toting JScript code. Along with seemingly legitimate email content, it was one of the early techniques Cerber used to evade spam filters and heuristic analysis. Barely a week after, Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with malicious macro that downloads and helps execute the ransomware.
Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino—which has since gone private—exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray.
More Cautious, Defensive
Cerber 6 has features that stand out. For one, it no longer has a routine for terminating processes, which we saw in earlier versions like Cerber 4, which terminates database software-related processes to ensure encryption of files. This routine can be construed as superfluous, since Cerber, along with a strong encryption capability, already hits a broad target base and file types to start with.
Cerber 6 also added another check on file extensions it’s not supposed to encrypt. This harks back to how we saw Cerber exhibiting behaviors that foreshadowed its shift to stealth-focused techniques. In February this year, certain variants (RANSOM_CERBER.F117AK) started checking if the affected system had any firewall, antivirus, and antispyware products installed, ensuring that their associated files aren’t encrypted.
Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing).
Figure 5: Cerber 6 uses Windows Management Interface to check for security products installed in the system
Figure 6: Cerber retrieving exe files of security products and creating a firewall rule to block their traffic
Cerber 6 has also eschewed the implementation of RSA and RC4 algorithms in its encryption routine in favor of Cryptographic Application Programming Interface (CryptoAPI). Another notable difference is the creation of a separate function that reads and encrypts the contents of the file. Cerber’s developers are noted to implement their own encryption; the abuse of Windows’s CryptoAPI and separation of encryption function for Cerber 6 denote constant efforts from the malware authors to streamline their operations.
Figure 7: In Cerber 6, the file is read and its contents encrypted using CryptEncrypt then written back
What does Cerber’s Future Hold?
Given the ransomware’s commercial nature, its outlook depends on the demands of its affiliates and distributors, or the need of the operators/developers to maintain Cerber’s competitiveness as a service. This is exemplified by the various changes we’ve observed in the ransomware’s structure.
While Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions.
While these Cerber-carrying SFX packages aren’t prevalent in the wild right now, it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts—from JScript to HTML Application (.HTA) and compressed binary files (.BIN)—and exploiting file types that aren’t usually used to deliver malware.
In fact, we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed.
Figure 8: Cerber’s ransom note as it appears in Brazil, written in Portuguese
Figure 9: Code strings in Cerber’s online ransom note to detect the local language
Even infection chain and target platforms are expected to broaden. An information-stealing Trojan, for instance, once capitalized on Cerber by incorporating the ransomware as a secondary payload. Exploits for a recently patched remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638) reportedly emerged to infect Windows servers with Cerber.
Indeed, Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations' business operations, reputation, and bottom line.
While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers.
Trend Micro Ransomware Solutions
Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro™ Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs. Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware. Our machine learning capabilities are tuned to account for attacks using techniques employed by ransomware like Cerber.