MassiveAttack:Cerber Ransomeware…

With Cerber, unskilled actors lacking the required technical knowledge can easily connect with developers in various closed forums. For a small payment, the would-be attackers obtain an undetected ransomware variant.

Then, they easily manage their active campaigns with a basic web interface.
Cerber affiliates currently run 161 active campaigns, infecting nearly 150,000 victims, with a total estimated profit of $195,000 in July 2016 alone.

Each campaign runs separately using a different distribution method and unique packer. The most notable campaign primarily targets users using the Magnitude Exploit Kit.

Cerber’s ecosystem came to light thanks to an advertisement published by a threat actor named ‘crbr’ in February 2016,
offering potential actors the opportunity to join the Cerber affiliates program. The ad was last edited in June 2016, indicating
the ransomware is still available for purchase and that the information is up-to-date.
The ad includes an extensive and accurate explanation about the malware itself, the landing pages, the partnership program through which the malware is sold, and the estimated profit.
‘crbr’ offers the Cerber ransomware through a private affiliate program; the actor recruits attackers willing to distribute the
ransomware to a large number of machines. In return, the participating affiliate receives part of the profit. In the ad’s example, the
participating affiliate earns 60% of the profits with an additional 5% for recruiting a new member to the program. The rest of the
money goes to the developer.
According to ‘crbr’, a unique Bitcoin address is generated for each victim. The affiliate can adjust the initial ransom demand, which
doubles after five days if not paid in full. Upon payment, the victim can download a unique decryption tool for his machine. ‘crbr’ also
mentions that a polite and friendly online support service exists, with a ticketing system embedded in the affiliate panel
The developer provides these statistics regarding the estimated profit:

An average of 3% of victims purchase the decoder. The percentage varies based on the target country and the distribution method
(the percentage among users infected via spam emails is higher).

The average payment is $500; the would-be attacker may change the ransom demand. Generally, the ransom can be demanded in the form of twice-monthly payments, or as a lump sum payment.

The top countries for purchasing the decoder are Australia, Canada, Great Britain, the United States, Germany, France, Italy, and India.

Cerber does not require a Command &Control connection to encrypt victim machines. However, it reports to a dedicated server to monitor the performance and efficiency of the malware by gathering statistics of current infections, payment procedures, and actual profit.

To avoid detection of the server, Cerber is designed to broadcast each message to a wide IP range over UDP protocol, which doesn’t require any response from the server.

Though proven as a method to hide the real server location, this tactic has a significant consequence. As the data is sent to a large number of addresses, it is easily traced and monitored by every server in that range.

Most Cerber victims are individual users…..

As a ransomware-as-a-service rather than a single attacker operation, Cerber’s diversity of distributers allows it to spread in numerous ways. Each participating affiliate can use a different attack pattern.

The final payload, the code responsible for encrypting victims’ files and reporting statistics to the C&C, is the only common denominator.

Additionally, each payload arrives with a hardcoded configuration including the affiliate ID and an IP range. This reports malware infection statistics, as well as other adaptable settings .

Although different affiliates apply different techniques and tactics, two common scenarios lead to a Cerber infection:

The victim unknowingly executes malicious code disguised as a legitimate file (most commonly delivered via email).
The victim visits a legitimate website that was compromised either directly or by a third party service. Such compromised websites typically lead to exploit kits: an exploit is silently delivered to the victim’s machine, eventually serving Cerber ransomware without any user interaction.

At some point, almost every widespread malware is distributed by one of the major exploit kits.
The most prominent strains are continuously delivered through a single exploit kit, while others have lower-scale distribution through a second exploit kit.
However, all of today’s major exploit kits deliver Cerber: Magnitude, Neutrino, and RIG, and have since its very beginning.
41% of the overall Cerber infections are executed by affiliates who use exploit kits as part of an exploit-as-a-service.

These affiliates who rely on the Magnitude, Neutrino, and RIG exploit kits for malware distribution also rank in the top ten list in terms of unique IP addresses
reporting infections. When delivered by different exploit kits, samples of Cerber ransomware differ by their configured affiliate ID and preferences – providing us with a continuous trail between these affiliates and their exploit kits…..

A typical campaign which has been active since at least late May, launching a number of attacks themed as job applications,
where the attached CV file is actually a downloader used to pull Cerber from a hardcoded URL.

Written in the targeted country’s language, a significant effort was made to disguise the emails carrying the ransomware as legitimate.

The attachment names even contain the sender’s name, presenting a credible look and feel, encouraging the user to open the malicious attachment.
Many of the observed messages include a second attachment: an actual photo of the alleged ‘applicant’ for added credibility, possibly provoking more interest from the potential victim.

A downloader is attached to each email, either as a document or as an archived Windows-script. Sometimes two files are attached,
but in most cases those files are identical. Although different obfuscations are applied to different downloaders, all downloaders contact the same domains to pull and execute the final Cerber payload.

The downloader drops a VBS script which in turn downloads a JPG file. The JPG contains an image, but it also contains the final
Cerber payload as a stub encoded with a 1-byte XOR-key. Once downloaded, the stub is decoded and the payload is executed by the script.

Cerber ransomware generates a unique Bitcoin wallet to receive funds from each victim. The generated wallet appears in the
landing page shown to the victim, represented by an encoded string in the URL.

The average ransom payment is 1 BTC, currently worth approx $590…

Cerber uses a Bitcoin mixing service as part of its money flow to remain untraceable.
Bitcoin use allows users to maintain their anonymity when making purchases and performing other business transactions.

The money flow utilizes a Bitcoin mixing service. A mixing service allows the
ransomware author to transfer Bitcoin and receive the same amount back to a wallet that cannot be associated with the original owner.

A new version of Cerber, dubbed “Cerber 2”, was released on July 29…. via


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s