Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Functionality of Cerber-Ransomware


  • Please log in to reply
1 reply to this topic

#1 worstanalyst

worstanalyst

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:32 AM

Posted 28 June 2017 - 04:13 AM

Hello altogether!

 

Some days ago I was testing what happens, when I execute an exe-file that pretended to be a pdf (.pdf.exe). I already knew, that this would lead to an infection with the probably actual variant of the Cerber-ransomware. And luckily I got infected and could have a look at what happens concerning the network-traffic.

 

When I analyzed the network-traffic with Wireshark, I found out that the ransomware looks for a certain BTC-Adress and sends my victim-ID to a server probably controlled by the crooks.

 

As I am no "pro" in that things I used a well known search-engine but unfortunately found no suitable information. So I now hope that I made my post in the correct forum and that there are some people here, that understand much more of that stuff than I do.

 

I'd like to share that pieces of information I could gather - who knows, perhaps together we can find out something really interesting?

 

Greets,

worstanalyst



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 AM

Posted 28 June 2017 - 05:19 AM

There are several different variants of Cerber Ransomware with different file extensions appended to the end of encrypted filenames and ransom notes.

Any files that are encrypted with the original Cerber Ransomware will be renamed (encrypted) with 10 random characters followed by a .cerber or a random 4 digit extension appended to the end of the encrypted data filename (i.e. 2C1OlcaXdF.cerber, kMWZJggq2p.a82d) and leave files (ransom notes) named DECRYPT MY FILES#.vbs, DECRYPT MY FILES#.txt, DECRYPT MY FILES#.html as explained here. Any files that are encrypted with Cerber v2 will be renamed (encrypted) with 10 random characters followed by a .cerber2 extension appended to the end of the encrypted data filename (i.e. Ku7dYlcvkj.cerber2) and leave files (ransom notes) named DECRYPT MY FILES#.vbs, DECRYPT MY FILES#.txt, DECRYPT MY FILES#.html as explained here. Any files that are encrypted with Cerber v3 will be renamed (encrypted) with 10 random characters followed by a .cerber3 extension appended to the end of the encrypted data filename (i.e. um87p5n5x9.cerber3) and leave files (ransom notes) named # HELP DECRYPT #.txt, # HELP DECRYPT #.html, # HELP DECRYPT #.url as explained here.

There is an ongoing discussion in this topic victims you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions..
Any files that are encrypted with GPAA Ransomware (Global Poverty Aid Agency) will have scrambled file names with the .cerber6 extension appended to the end of the encrypted data filename (i.e. 2BiwaFbX6wlPaDSy.cerber6) and leave files (ransom notes) named !READ.htm.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Note: One of the newer Xorist variants uses a fake .cerber extension. If the encrypted files have the .cerber extension appended to the end of the original extension and filename (i.e. picture.jpg.cerber)...you were infected with Xorist Ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users