The three heads of the Cerberus-like Cerber ransomware


Early this month, we saw a new ransomware family that launches a three-prong attempt to get you to hand over your hard-earned cash.

Called “Cerber” (it replaces file extensions with .cerber), we like to think of this three-prong approach as a nod to the mythical multiple-headed hound, Cerberus.

The attack starts with a text-to-speech (TTS) synthesized recording of a text message:

  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware.

So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.

The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.

In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.

VB script used to call the SAPI Speak method

If the API can’t call the speech synthesizer, you’ll see an error message similar to this:

Error returned when TTS is disabled or not available

The other “prongs” in the attack are the usual flavor of current ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim’s IP geolocation.

HTML page with ransom payment instructions

Plain text file with ransom payment instructions

Ransomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings, and this newer “low-cost approach” is both frustrating and effective.

Unlike other current ransomware (like Crowti) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files, the Users folder, the Recycle Bin and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses RSA encryption.

The list of file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and .sqlite), and archive files (for example, .rar and .zip).

It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:

  • The list of file extensions it targets
  • The folders it avoids
  • The public RSA key used for encryption (the private key is stored on the attacker’s server)
  • The mutex name format
  • The .html and .txt content used in the ransom note
  • The IP of a server it sends statistical data to

See our malware encyclopedia entry for details on the file types and folders it targets.

Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber. Therefore, a file called kawaii.png could be renamed to something like 5kdAaBbL3d.cerber.

The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to “choose your language”. This phrase rotates between the 12 languages the user can choose from.

Choice of 12 languages

CAPTCHA to access the payment site

After they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti and others.

Cerber payment site, requesting Bitcoin

Our strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender as your antimalware client, and ensure that MAPS has been enabled.

Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs, and administrators can disable macro loading using Group Policy settings.


Comments (15)

  1. r says:

    how do I repair keep getting 0x8007000D error

  2. Windows Defender but needs to detect EVERY new variant of (not just) this malware — which it can’t!

    Why don’t you give HELPFUL advice and tell your customers to use SAFER or AppLocker to block all programs in %USERPROFILE% and below?
    See https://technet.microsoft.com/en-us/library/aa940985.aspx

  3. adwbust says:

    the solution here is for windows to have an encrypt api that is mandatory for everyone to use. every call should get a uac prompt – ‘source’ is trying to use the windows encryption service to encrypt files. if it’s not user’s doing, recommend to block and report source’s behavior to maps or smartscreen. so uac should be integrated to smartscreen or defender/maps in a way!

    1. adwbust says:

      i meant interconnected not integrated

    2. Michael Gillespie says:

      So you’d like a UAC prompt for every SSL transaction? Every web page load in your browser, every Windows Update verification on the client end, every cloud service’s backup (OneDrive, Dropbox, Carbonite, etc.), every authentication token verification over NTLM in the background of the kernel? Cryptography is used for lots of things constantly on a system (that we’re not even thinking of probably), so simply the use of the Crypto API isn’t a sign of malicious intent. Also, there’s other libraries and APIs to use like OpenSSL or BouncyCastle (depending on language used, options could be more), so Windows itself can’t hook into every attempt to run encryption routines.

      1. adwbust says:

        i meant encrypting files not communication. third parties should just use bitlocker instead of using their own so the user will know if an untrusted/unknown program tries/wants to use bitlocker to encrypt files.

  4. Ahmad says:

    they took my money, without anythings,
    F*ck them, F*ck them

    1. pete says:

      how much did you pay and to whom
      I am debating if I should pay I just got hit

  5. Vasil says:

    Very useful information! Microsoft tells you what tells you cerber (for example).
    I am never going to pay for your product.

  6. GR says:

    Incredible !
    Such informations are so useless.
    All websites says sames things.
    Because those pirates uses (again) a problem in windows security, it would be nice from Microsoft to Work on some solutions to prevent those attacks and allows their customers to uncrypt the crypted files they earned by using their software

  7. JayZ says:

    Article was good, but question is how to decrypt the .ceber files ? I really think something Microsoft should do something about it as Windows Defender completely failed

    1. TeryBle says:

      Exactly, what good is having a defender that doesn’t defend?

  8. jagan says:

    Article was good, but question is how to decrypt the .ceber files ?

  9. Gautam Patnaik says:

    Good information. HOW TO REMOVE CERBER RANSOMWARE. Does anyone or any of your client etc have a solution or code to this? Can someone help please.

Skip to main content