RANSOM_CERBER.AUSJB

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It deletes the initially executed copy of itself.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {folder of encrypted files}\_README_.hta - ransom note
• %Desktop%\_README_.hta
• %User Temp%\tmp{random numbers}.bmp - ransom note wallpaper
• %User Temp%\{random characters}\{random characters}.tmp
• %User Temp%\_README_.hta - ransom note

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %User Temp%\{random characters}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\tmp{random numbers}.bmp

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• firefoxconfig.exe
• isqlplussvc.exe
• msftesql.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• oracle.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• synctime.exe
• tbirdconfig.exe
• xfssvccon.exe

Other Details

This Ransomware connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.11.0/27
• {BLOCKED}.{BLOCKED}.12.0/27
• {BLOCKED}.{BLOCKED}.16.0/22

It encrypts files with the following extensions:

• .1cd
• .3dm
• .3ds
• .3fr
• .3g2
• .3gp
• .3pr
• .7z
• .7zip
• .aac
• .ab4
• .abd
• .acc
• .accdb
• .accde
• .accdr
• .accdt
• .ach
• .acr
• .act
• .adb
• .adp
• .ads
• .agdl
• .ai
• .aiff
• .ait
• .al
• .aoi
• .apj
• .apk
• .arw
• .ascx
• .asf
• .asm
• .asp
• .aspx
• .asset
• .asx
• .atb
• .avi
• .awg
• .back
• .backup
• .backupdb
• .bak
• .bank
• .bay
• .bdb
• .bgt
• .bik
• .bin
• .bkp
• .blend
• .bmp
• .bpw
• .bsa
• .c
• .cash
• .cdb
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .ce1
• .ce2
• .cer
• .cfg
• .cfn
• .cgm
• .cib
• .class
• .cls
• .cmt
• .config
• .contact
• .cpi
• .cpp
• .cr2
• .craw
• .crt
• .crw
• .cry
• .cs
• .csh
• .csl
• .css
• .csv
• .d3dbsp
• .dac
• .das
• .dat
• .db
• .db_journal
• .db3
• .dbf
• .dbx
• .dc2
• .dcr
• .dcs
• .ddd
• .ddoc
• .ddrw
• .dds
• .def
• .der
• .des
• .design
• .dgc
• .dgn
• .dit
• .djvu
• .dng
• .doc
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .drf
• .drw
• .dtd
• .dwg
• .dxb
• .dxf
• .dxg
• .edb
• .eml
• .eps
• .erbsql
• .erf
• .exf
• .fdb
• .ffd
• .fff
• .fh
• .fhd
• .fla
• .flac
• .flb
• .flf
• .flv
• .flvv
• .forge
• .fpx
• .fxg
• .gbr
• .gho
• .gif
• .gray
• .grey
• .groups
• .gry
• .h
• .hbk
• .hdd
• .hpp
• .html
• .ibank
• .ibd
• .ibz
• .idx
• .iif
• .iiq
• .incpas
• .indd
• .info
• .info_
• .iwi
• .jar
• .java
• .jnt
• .jpe
• .jpeg
• .jpg
• .js
• .json
• .k2p
• .kc2
• .kdbx
• .kdc
• .key
• .kpdx
• .kwm
• .laccdb
• .lbf
• .lck
• .ldf
• .lit
• .litemod
• .litesql
• .lock
• .ltx
• .lua
• .m
• .m2ts
• .m3u
• .m4a
• .m4p
• .m4v
• .ma
• .mab
• .mapimail
• .max
• .mbx
• .md
• .mdb
• .mdc
• .mdf
• .mef
• .mfw
• .mid
• .mkv
• .mlb
• .mmw
• .mny
• .money
• .moneywell
• .mos
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mrw
• .msf
• .msg
• .mts
• .myd
• .nd
• .ndd
• .ndf
• .nef
• .nk2
• .nop
• .nrw
• .ns2
• .ns3
• .ns4
• .nsd
• .nsf
• .nsg
• .nsh
• .nvram
• .nwb
• .nx2
• .nxl
• .nyf
• .oab
• .obj
• .odb
• .odc
• .odf
• .odg
• .odm
• .odp
• .ods
• .odt
• .ogg
• .oil
• .omg
• .one
• .orf
• .ost
• .otg
• .oth
• .otp
• .ots
• .ott
• .p12
• .p7b
• .p7c
• .pab
• .pages
• .pas
• .pat
• .pbf
• .pcd
• .pct
• .pdb
• .pdd
• .pdf
• .pef
• .pfx
• .php
• .pif
• .pl
• .plc
• .plus_muhd
• .pm
• .pm!
• .pmi
• .pmj
• .pml
• .pmm
• .pmo
• .pmr
• .pnc
• .pnd
• .png
• .pnx
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .prf
• .private
• .ps
• .psafe3
• .psd
• .pspimage
• .pst
• .ptx
• .pub
• .pwm
• .py
• .qba
• .qbb
• .qbm
• .qbr
• .qbw
• .qbx
• .qby
• .qcow
• .qcow2
• .qed
• .qtb
• .r3d
• .raf
• .rar
• .rat
• .raw
• .rdb
• .re4
• .rm
• .rtf
• .rvt
• .rw2
• .rwl
• .rwz
• .s3db
• .safe
• .sas7bdat
• .sav
• .save
• .say
• .sd0
• .sda
• .sdb
• .sdf
• .secret
• .sh
• .sldm
• .sldx
• .slm
• .sql
• .sqlite
• .sqlite3
• .sqlitedb
• .sqlite-shm
• .sqlite-wal
• .sr2
• .srb
• .srf
• .srs
• .srt
• .srw
• .st4
• .st5
• .st6
• .st7
• .st8
• .stc
• .std
• .sti
• .stl
• .stm
• .stw
• .stx
• .svg
• .swf
• .sxc
• .sxd
• .sxg
• .sxi
• .sxm
• .sxw
• .tax
• .tbb
• .tbk
• .tbn
• .tex
• .tga
• .thm
• .tif
• .tiff
• .tlg
• .tlx
• .txt
• .upk
• .usr
• .vbox
• .vdi
• .vhd
• .vhdx
• .vmdk
• .vmsd
• .vmx
• .vmxf
• .vob
• .vpd
• .vsd
• .wab
• .wad
• .wallet
• .war
• .wav
• .wb2
• .wma
• .wmf
• .wmv
• .wpd
• .wps
• .x11
• .x3f
• .xis
• .xla
• .xlam
• .xlk
• .xlm
• .xlr
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .xxx
• .ycbcra
• .yuv
• .zip

It renames encrypted files using the following names:

• {10 Random Characters}.{4 Random Characters}

It does the following:

• It terminates itself if found running in any of the following countries:
  • Armenia
  • Azerbaijan
  • Belarus
  • Georgia
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Tajikistan
  • Turkmenistan
  • Ukraine
  • Uzbekistan
• It avoids encrypting files in the following paths:
  • {drive letter}:\$recycle.bin
  • {drive letter}:\$windows.~bt
  • {drive letter}:\boot
  • {drive letter}:\documents and settings\all users
  • {drive letter}:\documents and settings\default user
  • {drive letter}:\documents and settings\localservice
  • {drive letter}:\documents and settings\networkservice
  • {drive letter}:\program files
  • {drive letter}:\program files (x86)
  • {drive letter}:\programdata
  • {drive letter}:\recovery
  • {drive letter}:\recycler
  • {drive letter}:\users\all users
  • {drive letter}:\windows
  • {drive letter}:\windows.old
  • \appdata\local
  • \appdata\locallow
  • \appdata\roaming\adobe\flash player
  • \appData\roaming\apple computer\safari
  • \appdata\roaming\ati
  • \appdata\roaming\intel
  • \appdata\roaming\intel corporation
  • \appdata\roaming\google
  • \appdata\roaming\macromedia\flash player
  • \appdata\roaming\mozilla
  • \appdata\roaming\nvidia
  • \appdata\roaming\opera
  • \appdata\roaming\opera software
  • \appdata\roaming\microsoft\internet explorer
  • \appdata\roaming\microsoft\windows
  • \application data\microsoft
  • \local settings
  • \public\music\sample music
  • \public\pictures\sample pictures
  • \public\videos\sample videos
  • \tor browser
• It avoids encrypting the following files:
  • bootsect.bak
  • iconcache.db
  • ntuser.dat
  • thumbs.db
• It speaks the following text using text-to-speech application:
  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!
• It is configured to target related files under the following folders:
  • {drive letter}:\documents and settings\all users\documents\
  • \appdata\roaming\microsoft\office\
  • \excel\
  • \microsoft sql server\
  • \onenote\
  • \outlook\
  • \powerpoint\
  • \steam\
  • \the bat!\
  • \thunderbird\
• It deletes all shadow copies by executing the following in the command prompt:
  %System%\wbem\WMIC.exe shadowcopy delete

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It deletes the initially executed copy of itself

NOTES:

This ransomware changes the wallpaper to the following image:

It displays the ransom note with the following content: