Cerber ransom payment doubles

November 23, 2016

The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.

Infection Cycle:

The latest variant of this trojan uses the following icon:

The Trojan makes the following DNS requests:

  • vyohacxzoue32vvk.3sc3f8.bid
  • btc.blockr.io

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%README.hta (ransom information page)
  • %USERPROFILE%Local SettingsTempREADME.hta (ransom information page)

It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.

It displays the following information on the desktop background:

The links lead to a website located on tOR network:

The Trojan reports its infection to a remote C&C/key server:

It checks the status of the supplied bitcoin address that requires funding to verify payment:

Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cerber.HM (Trojan)