FortiGuard Labs Threat Research
Research: A New Christmas Decorated Cerber Ransomware Has Arrived
Introduction
A new unversioned Cerber has surfaced! It appears that the author(s) of Cerber is working hard to make more money during Christmas season. This latest version has relatively more changes as compared to the previous versions. The version number has now been removed from the desktop wallpapers of the infected machines, and this new Cerber release no longer has an apparent version number, which might make the tracking of the Cerber family more difficult than before. Another noticeable change is that the modified wallpaper now comes with a Christmas colour theme. It also appears to have improved the efficiency of searching for and encrypting files. Moreover, it extends its encryption coverage by adding more file extensions to the file extension list.
Updated Wallpaper
The version number of this new Ceber is no longer displayed on the desktop wallpaper. The text highlight is now red and the text is white, as shown in the figure below. Cerber versions 4 and 5 used to have fluorescent green text highlighted in black. The wallpaper of Cerber 5.0.1 is also shown below for comparison.
Figure-1. The New Cerber Wallpaper
Figure-2. The Cerber 5.0.1 Wallpaper
Modified Instruction Filename
Just as before, this new version of Cerber drops instruction files to notify the user that their files have been encrypted, and also tells the user how to pay for and get the decryptor. However, the name of the instruction file has been changed from “_README_.hta” (Cerber 5.0.1) to “_README_{random string}_.hta”. Appending random characters or numbers to the instruction filename would disable some simple AV detections, such as the detection of hardcoded filenames.
Figure-3. New Instruction Filename
Enhanced Multithreading Approach
This new Cerber release has further improved its multithreading approach. The new multithreading approach consists of two units: the file list generation unit and the file encryption unit. The file list generation unit searches files and adds them to a file list, which is a shared resource among all threads of both units. The file encryption unit fetches files from the file list and encrypts them.
The file list generation unit creates one file searching thread per drive. Each thread is only responsible for searching the files in its corresponding drive. If a valid file is found and certain conditions are met, the file will be added to a file list. It is important to note that all threads share and add files to the same file list if there are multiple threads.
The file encryption unit creates two threads for every processor of the infected machine. The number of processors is obtained by calling the API GetSystemInfo. Each encryption thread fetches a file from the shared file list one at a time, and then encrypts the file.
Both units run concurrently so that the file encryption unit begins to fetch files as soon as the file list generation unit adds files to the shared file list. This new multithreading approach appears to be more efficient at searching for and encrypting files as compared to its previous versions. The reason behind this is that the most time-consuming components are now run in separate threads and run in parallel. If interested, you can find more information here [1] about how the previous versions of Cerber handled multithreading. A flowchart illustrating the new file searching and encryption multithreading approach is shown below.
Figure-4. A Flowchart of the New Multithreading Approach
More Target Files
This new version of Cerber is also able to encrypt additional file types, including more document files, database files, and graphic files. It now targets Linux backup files as well. To make software developers’ lives even more miserable, it also encrypts more script file types.
|
Types |
Added Extensions |
|
Linux backup files |
.gz, .tgz, .tar |
|
Document files |
.xlc, .wks, .wk1, .123, .602 |
|
Graphic files |
.dip, .djv |
|
Database files |
frm, .myi, .onenotec2 |
|
Script files |
.vb, .vbs, .bat, .cmd |
Table-1. Added Extensions and Types
Conclusion
Many versions of the Cerber ransomware have been released since its first appearance. Despite the high frequency of updates, some previous versions had few changes as compared to their respective predecessors. However, this new unversioned Cerber release appears to have more significant changes. We expect to see more aggressive updates soon. The Advanced Research Team will continue to track this family and share our findings with readers once new things come into light.
References
[1] https://blog.fortinet.com/2016/12/02/cerber-5-0-1-arrives-with-new-multithreading-method
Sample Information
MD5: 7e799ba1a1b60c0f744a76f063bd2910
SHA256: ddaef49d0deefcdd5439ec5317f07f2a3dfafca6e51c75ce229c21870d15e00f
Fortinet AV Detection: W32/Zerber.ANUG!tr
