December 02, 2016
The 1st of December marked the beginning of a new Cerber ransomware virus with several interesting changes. The ransomware again wants it’s victims to pay a hefty sum of 499$ to get back the files, which are encrypted via RSA-512 cipher in a RC4 encryption method. Cerber also goes back to it’s roots adding the old sound m ess age, and adds a red ransom note accompanied by a sound message, just like the first version of Cerber did. In case you have been infected by this variant of the ransomware virus, we advise you read the following article to familiarize yourself with the virus, remove it and try to decrypt your files.
Cerber _README_.hta December 2016 Variant – What Is New
Unlike the previous versions of Cerber which are with 3 digit versions (5.0.0, 5.0.1, 4.1.6, etc.), this version has a red wallpaper which it changes after the encryption and does not have a version, very similar to the first Cerber ransomware virus, which is also decryptable. The wallpaper it sets has the same message and leads to the very same Cerber Decryptor web page, asking 499$ but looks like the following:
This virus also uses the very same tactics the modern Cerber version use. It attacks computers via a phishing e-mail which aims to infect via an e-mail attachment, like the following example:
What is new regarding how Cerber _README_.hta spreads are that it also takes advantage of the Tor network as well as Google to spread a malicious script that infects via a corrupt svchost32.exe fake process. This redirect via the Tor network proxies means that it is with higher difficulty to identify the infection hosts associated with the Cerber _README_.hta crypto virus.
Cerber _README_.hta – Activity After Infection
After infecting the user, not a lot is changed. Cerber ransomware begins to shut down the following system processes if they are active on the compromised computer:
But the malware does not stop there. The Cerber _README_.hta version also goes through a lot of troubles to shut down significant database processes to allow it to uninterruptedly encrypt databases:
If those processes are active, they will stop the virus from encrypting the databases, and this is the main reason they are shutdown in a force mode.
Regarding the file encryption, the Cerber _README_.hta iteration is focused on attacking even wider database of file extensions. Here are the file types that surely be encrypted on your computer if you have them there and become infected by this iteration:
To encrypt those files the _README_.hta version of Cerber uses 5 blocks of code in the files which are encrypted, not the whole files. Those blocks are encrypted via the RC4 encryption method which generates a unique key the size of 256 bits. In addition to this, the ransomware also uses the cipher RSA (Rivest Shamir Adleman) algorithm with a strength of 512 bit to further increase encryption of the files. This encryption then generates a unique RSA key which may either be stored on the victim’s computer or be sent via POST traffic via port 6482 on the TCP and UDP protocols to IP addresses 15.49.2.0/27, 122.1.13.0/27, 194.165.16.0/23. So far, it has not been established whether or not the sent information is encrypted, but this is likely the case.
Similar to other versions of Cerber, this one may also change the names of the encrypted files and render them useless. The files may appear like the following and completely non-recognizable:
After the encryption process is complete, Cerber changes the wallpaper to the new one and in addition to this adds a _README_.hta type of file with 4 random digits, similar to a unique ID for this specific infection. The file may look like the following:
Both the wallpaper and the _README_.hta file have a unique web-link which is Tor-based and focused on leading the victim to the genuine Cerber web page, demanding the user to pay approximately 500 dollars and giving a deadline with a countdown timer:
Cerber _README_.hta is also very careful when it comes to encrypting folder. The ransomware goes as far as whitelisting folders which it does not encrypt to keep the operating system in a working state:
December 2016 Cerber Ransomware – Conclusion, Removal and File Restoration Tips
In case you happen to become an unfortunate victim of this iteration of Cerber ransomware, recommendations are not to focus on paying the ransom. This is not a guarantee your files will be gotten back to you, and furthermore, you support criminal entities in developing Cerber _README_.hta further as well as infecting more users. Instead, we advise following the below-mentioned instructions to remove the virus. In case you are having trouble in manually removing Cerber from your computer, advices are to do it automatically with an advanced anti-malware program which will take care of this threat for you swiftly and remove all of its objects created in various Windows folders and Windows Registry Edior as well.
After removing Cerber _README_.hta, we urge you to immediately create several copies of all the encrypted files that are important for you. Then, you can use one of those copies to try the traditional Cerber decryption instructions from this web link.
They are not for this version of Cerber and may not work, but you are welcome to attempt them and the alternative file restoration methods from step “2. Restore Files Encrypted by Cerber _README_.hta” below. They are also not 100% to succeed, but with the “Deep Scan” features of one of them, there is a chance you will restore some of your files if you haven’t reformatted your hard drive.
Manually delete Cerber _README_.hta from your computer
News Courtesy : http://sensorstechforum.com/updated-cerber-ransomware-_readme_-hta-remove-restore-encrypted-files/