Cerber Ransomware Still Stays at the Top


Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!


Cerber 6 Ransomware is on its way to your computer! The newest update of this dangerous virus is released recently! As a member the top dangerous threats in 2016, it is not so easy to get rid of! And now it is coming back with new technology! Do you encounter it right now? Are you ready to get away from it?

What is Cerber Ransomware?


For most computer users, cerber ransomware is not a new virus. The year of 2016 is a year of Cerber. It is a hot issue that whether cerber has taken down locky and has won the name of the most dangerous cerber threat of the year. Just lately, the newest cerber 6 is found. Since the newest update of cerber 6, this series of Ransomware has become a new issue again. As more and more related information is discussed, there is a end finally. Undoubtedly, cerber reansomware wins the title in the end which makes it besome the most dangerous file-encrypting threat of 2016. It must thank for the help of its insidious distribution techniques and ability to encrypt files. Cerber kicked off 2017 with a huge 70 percent market share and approached 90 percent toward the end of the quarter.



Cerber Ransomware is a dangerous virus. The name “cerber” indicates a horrible and mythical creature which will terrify all victims once it has infected a computer system. With the threat of such virus, victims will face the troubles of taking risks of losing person files. If the requirement of hackers is not met in the end, the computer will be continually attack. The encryption used by this virus is AES cryptographic standard and it is able to block the most important files on computer system. Recently, such virus tempts to encrypting popular data formats on the target computer’s hard drive, network shares and removable media. Apart from this, it blocks different files on different computers with different keys to distinguish identification. Besides, data entries are encrypted by four hexadecimal characters. All suffix is unique which means that no suffix is repetitive and each of them matches a computer-specific MachineGuid registry value. Therefore, the sample document will turn into a gibberish string like LQpHq5aNrJ.3f81. Victims ca not open any of them without unblocking.




According to the research from Trend Micro, it shows that what makes Cerber ransomware so fluid is so complicated. Trend Micro’s Smart Protection Network shows that the US takes the brunt of infections, but Japan accounts for 4.63%; Australia for 2.53%; and China for 1.1%. Once it is installed, the first thing it does is to locate your country. As long as your country matches its hard-blacklist mostly composed of Eastern European states, it will not take any action anymore.




But, if it finds that your country is out of this list, it will target system via affecting system codes. After that, a notification will be displayed on screen, if you choose to close it, your computer will suddenly restarts. The system restart will help it finish encrypting files with AES and RSA encryption tools. Once files are blocked by this threat, it starts extorting payment. Usually, it requires victims to pay a ransom of 1.24 bitcoins or ~500 USD to get their files back. So far, no effective tool is developed to decrypt these blocked files. What is more, it is also difficult to find out the way of distribution of this threat. However, according to SenseCy, this Ransomware is offered on a closed underground Russian forum, as a service. This fact suggests that it may be a new virus as a Service, or RaaS, where affiliates can join in order to distribute the ransomware, while the Cerber developers earn 40% commission from each ransom payment.


The Encryption Process of Cerber Ransomware


As the virus is activated on computer system, it begins analyzing your computer location. If you are located in any one of these countries, then you should not worry about this virus.


Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan


Once any computer is found to be located in above countries, the Ransomware on computer system will automatically terminate its process and does not encrypt your files.


If you are attacked by early version of cerber virus, you will find that this virus is installed in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and name itself after a random Windows executable. To be exact, it can name itself as autochk.exe or other similar letters. Later, it starts configuring Windows to automatically boot into Safe Mode with Networking on the next reboot using the following command:


C:\Windows\System32\bcdedit.exe” /set {current} safeboot network


Before, this virus configures its process to start once you log in compute and then executes as a screensaver once your computer is idle after a long time no-operation. Furthermore, it can set a task to execute process every time it wants to load. Under this situation, it is able to display notification on screen and automatically starts performing a system restart.


cerber-ransomware-shuts-down-computer         cerber-ransomware-shut-down


To encrypt files, the old version of this virus will stop the following processes so that it can easily block important files.





























Unfortunately, as it is updated again and again, it will not create any process to restart computer automatically or clean its process afterwards leaving no executables behind. The creator modifies the process to make it to potential buyers that creator is said to morph this virus every 15 seconds. Hasherazade’s analysis discovered that JSON configuration file is utilized by this Ransomware for setting. Through analyzing this file, users can know more details about it, such as the files types it encrypts, the countries it avoids, the files to unblock and other important information. The old version uses AES-256 encryption to encrypt files when it finds matching data. Before encrypting, it scans your drive letters in order to find out which file matches extensions. The blocked files will be named after.CERBER extension. But now, the new cerber virus uses 4 digit extensions which can appear randomly.



The new targeted file extensions




When looking for files to encrypt, Cerber may avoid files like:





:\documents and settings\all users\

:\documents and settings\default user\

:\documents and settings\localservice\

:\documents and settings\networkservice\

:\program files\

:\program files (x86)\




:\users\all users\





\appdata\roaming\adobe\flash player\

\appData\roaming\apple computer\safari\



\appdata\roaming\intel corporation\


\appdata\roaming\macromedia\flash player\




\appdata\roaming\opera software\

\appdata\roaming\microsoft\internet explorer\


\application data\microsoft\

\local settings\

\public\music\sample music\

\public\pictures\sample pictures\

\public\videos\sample videos\

\tor browser\


If the network setting of your computer is set to 1 in the configuration file, it will be searched by this virus and encrypted all accessible shared networks.




Finally, three new notes files will be created on infected folders. They are  # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs.



The cerber 6 will leave a Readme.hta which opens a window instead.





Files associated with Cerber Ransomware

HKCU\Control Panel\Desktop\SCRNSAVE.EXE         “%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe”

HKCU\Software\Microsoft\Command Processor\AutoRun    “%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run         “%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]    “%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\[random]    “%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe”

Registry entries associated with Cerber Ransomware




Why Cerber Ransomware still stays at the top? The malicious behavior of ransomware has been detected all the time as it is so activated. This kind of virus continues being one of the most prevalent Ransomware families for a long time since it was developed. It controls almost 26% market.


So far, there is no associated decryptor is developed to decrypt files blocked by Cerber Ransomware. The only way to try is to remove Cerber Ransomware by malware removal tools files. Then restore system to previously version which is not infected. However, you should back up files first. Once system is restored, use files recovery tool to get back your personal files.




Share on FacebookShare on Google+Digg thisPin on PinterestShare on LinkedInShare on TumblrShare on RedditShare on StumbleUpon