Select Page

A New Christmas Decorated Cerber Ransomware Has Arrived

Posted by | Dec 15, 2016 |

A New Christmas Decorated Cerber Ransomware Has Arrived

Introduction

A new unversioned Cerber has surfaced! It appears that the author(s) of Cerber is working hard to make more money during Christmas season. This latest version has relatively more changes as compared to the previous versions. The version number has now been removed from the desktop wallpapers of the infected machines, and this new Cerber release no longer has an apparent version number, which might make the tracking of the Cerber family more difficult than before. Another noticeable change is that the modified wallpaper now comes with a Christmas colour theme. It also appears to have improved the efficiency of searching for and encrypting files. Moreover, it extends its encryption coverage by adding more file extensions to the file extension list.

Updated Wallpaper

The version number of this new Ceber is no longer displayed on the desktop wallpaper. The text highlight is now red and the text is white, as shown in the figure below. Cerber versions 4 and 5 used to have fluorescent green text highlighted in black. The wallpaper of Cerber 5.0.1 is also shown below for comparison.

Modified Instruction Filename

Just as before, this new version of Cerber drops instruction files to notify the user that their files have been encrypted, and also tells the user how to pay for and get the decryptor. However, the name of the instruction file has been changed from “_README_.hta” (Cerber 5.0.1) to “_README_{random string}_.hta”. Appending random characters or numbers to the instruction filename would disable some simple AV detections, such as the detection of hardcoded filenames.

Enhanced Multithreading Approach

This new Cerber release has further improved its multithreading approach. The new multithreading approach consists of two units: the file list generation unit and the file encryption unit. The file list generation unit searches files and adds them to a file list, which is a shared resource among all threads of both units. The file encryption unit fetches files from the file list and encrypts them.

The file list generation unit creates one file searching thread per drive. Each thread is only responsible for searching the files in its corresponding drive. If a valid file is found and certain conditions are met, the file will be added to a file list. It is important to note that all threads share and add files to the same file list if there are multiple threads.

The file encryption unit creates two threads for every processor of the infected machine. The number of processors is obtained by calling the API GetSystemInfo. Each encryption thread fetches a file from the shared file list one at a time, and then encrypts the file.

Both units run concurrently so that the file encryption unit begins to fetch files as soon as the file list generation unit adds files to the shared file list. This new multithreading approach appears to be more efficient at searching for and encrypting files as compared to its previous versions. The reason behind this is that the most time-consuming components are now run in separate threads and run in parallel. If interested, you can find more information here [1] about how the previous versions of Cerber handled multithreading. A flowchart illustrating the new file searching and encryption multithreading approach is shown below.

More Target Files

This new version of Cerber is also able to encrypt additional file types, including more document files, database files, and graphic files. It now targets Linux backup files as well. To make software developers’ lives even more miserable, it also encrypts more script file types.

Types Added Extensions
Linux backup files .gz, .tgz, .tar
Document files .xlc, .wks, .wk1, .123, .602
Graphic files .dip, .djv
Database files frm, .myi, .onenotec2
Script files .vb, .vbs, .bat, .cmd
Conclusion

Many versions of the Cerber ransomware have been released since its first appearance. Despite the high frequency of updates, some previous versions had few changes as compared to their respective predecessors. However, this new unversioned Cerber release appears to have more significant changes. We expect to see more aggressive updates soon. Fortinet’s Advanced Research Team will continue to track this family and share our findings with readers once new things come into light.

About The Author

Mohamed Ghamdi

Related Posts

Huawei unveils HUAWEI WiFi AX3: The new router with Gigahome Quad-core and Wi-Fi 6 Plus

Huawei unveils HUAWEI WiFi AX3: The new router with Gigahome Quad-core and Wi-Fi 6 Plus

July 23, 2020

<strong>38% of industrial computers in the Middle East, Turkey & Africa were targeted in 2022</strong>

38% of industrial computers in the Middle East, Turkey & Africa were targeted in 2022

November 21, 2022

Kaspersky launches specialized solution for Linux-based embedded devices 

Kaspersky launches specialized solution for Linux-based embedded devices 

August 29, 2023

AI in Cyber Security: From Hype to Reality

AI in Cyber Security: From Hype to Reality

July 26, 2018

Categories

WP Twitter Auto Publish Powered By : XYZScripts.com