Ransom.Win32.CERBER.THKOHBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Path}\{Log Filename} → If the parameter -log {Log Filename} is used
• {Log Path}\{Log Filename} → If the parameter -log {Log Path}\{Log Filename} is used
  

It adds the following processes:

• %System%\cmd.exe /c del {Malware Path}\{Malware Filename} >> NUL
  
  • Deletes itself after completing its encryption routine.
• cmd.exe /c %System%\wbem\WMIC.exe shadowcopy where "ID='{Shadowcopy ID}'" delete
  
  • Deletes shadow copy based on its ID.

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• hsfjuukjzloqu28oajh727190

Other Details

This Ransomware does the following:

• By default, it encrypts local files and network shared files.
• When encrypting network shares it will check if the IP address starts with the following to ensure that it is encrypting local, non-internet, systems:
  
  • 172.
  • 192.168.
  • 10.
  • 169.

It accepts the following parameters:

• -p {Path} → Encrypts files in the specified path including subfolders.
• -b | -b {any string} → Default behavior.
• -m {all | local | net | backups}
  • local → Encrypts only files in local drives.
  • net → Encrypts only files in network shares.
  • all → Encrypts files in both local drive and network shares (Default behavior).
  • backups → Deletes shadow copies only.
• -size {chunk mode} → Chunk mode for encrypting large files.
• -nomutex → Skips creating a mutex.
• -log {Filename to create} → Creates a log file in {Malware Path} unless a different file path is specified.

It uses Windows Management Instrumentation (WMI) to do the following:

• SELECT * FROM Win32_ShadowCopy
  
  • Used to query the list of shadow copies in the system.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• read-me3.txt
• C3RB3R_LOG.txt

It avoids encrypting files found in the following folders:

• .
• ..
• tmp
• winnt
• temp
• thumb
• $Recycle.Bin
• $RECYCLE.BIN
• System Volume Information
• Boot
• Windows
• Trend Micro
• perflogs

It appends the following extension to the file name of the encrypted files:

• .LOCK3D

It drops the following file(s) as ransom note:

• read-me3.txt → Dropped in every directory that is not on the exclusion list.
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .lnk
• .sys
• .msi
• .bat
• .LOCK3D

• Full Encryption:
• Files with size lower than 1.04 MB
• Database files with the following file extensions:
• .4dd
• .4dl
• .abcddb
• .abs
• .abx
• .accdb
• .accdc
• .accde
• .accdr
• .accdt
• .accdw
• .accft
• .adb
• .ade
• .adf
• .adn
• .adp
• .alf
• .arc
• .ask
• .bdf
• .btr
• .cat
• .cdb
• .ckp
• .cma
• .cpd
• .dacpac
• .dad
• .dadiagram
• .daschema
• .db-shm
• .db-wal
• .db2
• .db3
• .db
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dbx
• .dcb
• .dct
• .dcx
• .ddl
• .dlis
• .dp1
• .dqy
• .dsk
• .dsn
• .dtsx
• .dxl
• .eco
• .ecx
• .edb
• .epim
• .exb
• .fcd
• .fdb
• .fic
• .fm5
• .fmp12
• .fmp
• .fmpsl
• .fol
• .fp3
• .fp4
• .fp5
• .fp7
• .fpt
• .frm
• .gdb
• .grdb
• .gwi
• .hdb
• .his
• .hjt
• .ib
• .icg
• .icr
• .idb
• .ihx
• .itdb
• .itw
• .jet
• .jtx
• .kdb
• .kdb
• .kexi
• .kexic
• .kexis
• .lgc
• .lut
• .lwx
• .maf
• .maq
• .mar
• .mas
• .mav
• .maw
• .mdb
• .mdf
• .mdn
• .mdt
• .mpd
• .mrg
• .mud
• .mwb
• .myd
• .ndf
• .nnt
• .nrmlib
• .ns2
• .ns3
• .ns4
• .nsf
• .nv2
• .nv
• .nwdb
• .nyf
• .odb
• .oqy
• .ora
• .orx
• .owc
• .p96
• .p97
• .pan
• .pdb
• .pdm
• .pnz
• .qry
• .qvd
• .rbf
• .rctd
• .rod
• .rodx
• .rpd
• .rsd
• .sas7bdat
• .sbf
• .scx
• .sdb
• .sdc
• .sdf
• .sis
• .spq
• .sql
• .sqlite3
• .sqlite
• .sqlitedb
• .te
• .temx
• .tmd
• .tps
• .trc
• .trm
• .udb
• .udl
• .usr
• .v12
• .vis
• .vpd
• .vvv
• .wdb
• .wmdb
• .wrk
• .xdb
• .xld
• .xmlff
• Header Encryption:
• Files with size between 1.04 MB and 5.24 MB
• Partial Encryption:
• Files with size greater than 5.24 MB
• Virtual machine, virtual disk/disc files with the following file extensions:
• .avdx
• .avhd
• .bin
• .iso
• .nvram
• .pvm
• .qcow2
• .raw
• .subvol
• .vdi
• .vhd
• .vhdx
• .vmcx
• .vmdk
• .vmem
• .vmrs
• .vmsd
• .vmsn
• .vmx
• .vsv