Possibly to maximize the earning potential of Cerber’s developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files. These repositories of organized data enable businesses to store, retrieve, sort, analyze, and manage pertinent information. When utilized effectively they help maintain the organization’s efficiency, so holding these mission-critical files hostage can adversely affect the business’s operations and bottom line.
A known ransomware peddled as a turnkey service to budding cybercriminals, Cerber has metamorphosed into a myriad of versions throughout its lifecycle. It picked up more tricks along the way, some of which include integrating a DDoS component, using double-zipped Windows Script Files, and leveraging a cloud productivity platform, even serving as secondary payload for an information-stealing Trojan.
The ransomware’s constant updates also reflect how active its developers are, and how its distributors see it as a lucrative business. An earlier version was updated to 4.1.5 within a day, for instance. Cerber’s developers, who rake in 40% in commissions from affiliates, earned almost $200,000 in July this year alone.
Encryption of database files is not unique to Cerber. The first half of 2016 saw the emergence of families such as crypJOKER (RANSOM_CRYPJOKER.A), SURPRISE (RANSOM_SURPRISE.A), PowerWare (RANSOM_POWERWARE.A), and Emper (Ransom_EMPER.A) that included database-related extensions to their list of files to encrypt. Some of these include files from dBASE (.dbf), Microsoft Access (.accdb), Ability Database (.mdb) and OpenOffice (.odb). Given how crucial database files are for enterprises, adding them to Cerber’s list of file types to encrypt can be seen as its developers’ way to make ransom payment more urgent and expedient for the victims.
Cerber 4.1.0, 4.1.4, and 4.1.5, like its other variants (Ransom_CERBER.CAD, Ransom_CERBER.A), is coded to steer clear of devices and systems configured in certain languages. It uses the API, GetKeyboardLayoutList, to retrieve the languages set, and the ransomware terminates itself if it detects any of these languages: Russian, Ukranian, Belarusian, Tajik, Armenian, Zeri Latin, Georgian, Kazakh, Krygyz Cyrillic, Turkmen, Uzbek Latin, Tatar, Romanian Moldova, Russian Moldova, Azeri Cyrillic, and Uzbek Cyrillic. Our monitoring bear out this behavior: from March to mid-November this year, most of Cerber detections were observed in the U.S., Taiwan, Germany, Japan, Australia, China, France, Italy, Canada, and South Korea.
The infection vector for one of the latest samples we analyzed is spam email that spoofs an online payment service provider, exploiting user trust with notifications of exceeded credit line. Recipients of the spam email are then prodded to authenticate their accounts.
Database File Encryption
Aside from encrypting files on fixed and removable drives, Cerber infects files on shared network folders. Interestingly, Cerber also targets files stored on RAM disks, which are memory modules dedicated and configured for storage.
Delving into how Cerber encrypts database-related files, we found that this specific routine was already present in versions as early as 4.0, which we’ve seen delivered by the Pseudo-Darkleech campaign. Cerber also keeps a list of file paths to skip during encryption—including Microsoft SQL Server and email clients. If the database server is directly mapped to a shared folder, however, Cerber will encrypt files saved on it.
Cerber also terminates database software-related processes before running its encryption routine. This ensures encryption of the files, as the system’s OS blocks write access to the file if they are already running. Cerber 4.1.5’s configuration file has a long list of file types to encrypt, including those from Microsoft Access, Oracle, MySQL, and SQL Server Agent, as well as files related to accounting, payroll, and healthcare database software. Comparison of the configuration files of Cerber 4.1.0, 4.1.4 and 4.1.5 also showed that the variants seek the same database-related files.
|Programs Associated with the File Extension||Extensions|
|Microsoft Access||.accdb, .accde, .accdr, .accdt, .adp, .odc|
|Alpha Five, Ability Database||adb|
|Advantage Database Server, Progress Database||.ai|
|Microsoft Works, Blaise Database||.bdb|
|Cardscan card database, Pocket Access, Database, Borland Turbo C main database file, Symbian OS contact database file, Cleaner trojan database file||.cdb|
|SQLite 3 File||.cls|
|ANSYS, Arcview, dBASE IV,dBFast, iRiver Plus3||.db|
|dBASE III, SQLite||.db3|
|CBDF, iAnywhere, AlphaFive, ACT!, Psion Series 3, NovaBACKUP||.dbf|
|EstImage Database, Euphoria Database System||.edb|
|Ruby SQL File||.erbsql|
|Fiasco Database, FlexyTrans Database, FlukeView Database, Firebird Database, FoxPro Database, Legacy Family Tree Database, Navison Financials Database, FeedDemon SQLite Data File||.fdb|
|IDEA! Project Management Database||.ibd|
|Symantec Q&A Relational Database||.idx|
|KeePass Password Database||.kdbx|
|Kaspersky Virus Database||.kdc|
|NEi Nastran Modal Database, Microsoft Access||.mdb|
|SQL Server Master Database||.mdf|
|Lotus Notes Database||.ns2, .ns3, .ns4, .nsf, .nsg, .nsh|
|NRG Site Database||.nsd|
|Organizers Database, Arcview Object Database||.odb|
|Palm OS Database, Pegasus Database, QuickPOS Database, Visual C++/.NET Program Database,BGBlitz Position Database, Martini Personal Database||.pdb|
|SQL Server Master Database||.mdf|
|Password Safe Database||.psafe3|
|Redis Database, Oracle, Value Navigator Database, Darkbot Random Database, Zonealarm Mailsafe Database, OpenOffice Database||.rdb|
|SQLite 3.0 Database||.s3db|
|Windows Compatibility Solution Database, yEncExpress Databas, Windows Security Database, SideKick 2 Database, Summer Camp Scheduler Database, Windows2000 Security Configuration and Analysis Database, SQLite Database, OpenOffice Base Database, ServerBoss Database, AutoDesk Survey Database, AutoCAD Civil 3d Survey Database||.sdb|
|Structured Query Language Data||.sql|
|SQLite Database||.sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal|
|Concordance Full Text Database||.tex|
Ransomware’s evolving tactics, techniques and procedures are signaling a shift towards attacks to businesses of all sizes that can lead to disruption to operations and higher downtime expenses. Regularly backing up important corporate assets can mitigate Cerber’s adverse effects. Many ransomware variants also leverage privileged/administrator accounts to run their malicious routines, such as terminating processes, so a sound privilege management policy helps limit the malware’s entry points for infection. Users and businesses can also benefit from a multilayered approach to security—from the gateway, endpoints, networks, and servers.
TippingPoint customers are protected from Cerber attacks with this MainlineDV filter:
- ThreatDV 25841: UDP: Ransom_HPCERBER.SM6 (Cerber) Checkin
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Indicators of Compromise (IoCs):
Cerber dropped via malicious sites:
Cerber dropped by exploit kits:
0a6ec6a46e66863e48a05058963d9babf2c2b911 — Cerber 4.1.0
fddb48d4910adc0aa75b9529a90e11dac62c41ce — Cerber 4.1.1
620dca44514ee1d440867285bbb2a73a35303876 — Cerber 4.1.3
8185e5477e29b1095f5fc42197baddac56fb44d2 — Cerber 4.1.4
317b1dea823f942061f1f8c6612ef745704c9962 — Cerber 4.1.5
Cerber dropped via spam emails:
cc8f31bb926f862b3c5360e33c32134b871008de — Ransom_CERBER.F116K8 (Cerber 4.1.5)
9d48589dc1e202847980004f8290cd12289f7a5c — Ransom_CERBER.F116K7 (Cerber 4.1.3)
66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Cerber 4.1.0
Websites accessed by HTML files that Cerber drops in the system:
66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Ransom_HPCERBER.SM6
aa3fc1d5a79e1d43165b5556bae2669fd68455508bb667a457fa3dfd25b6222e (SHA256) — Ransom_HPCERBER.SM6
Additional analysis/insights by Joseph C. Chen, Jon Oliver, and Chloe Ordonia