Cerber ransom note inside a victim's desktop wallpaper

Security researchers have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.

First detected at the end of March, version 6 comes with new distribution vectors, a revised encryption routine, and anti-sandbox and anti-AV defensive features.

These features, added a few months after Cerber 4 and Cerber 5 also came with a bunch of improvements, show the ransomware is continuing to grow, most likely fueled by the financial success it's been having since Locky has gone dark over the winter, leaving a void to fill.

Cerber 6 distribution vectors diversify

Cerber 6 distribution is the same as before, the ransomware still relying on massive spam campaigns to reach its victims, albeit other distribution channels such as exploit kits and manual installation scenarios have been spotted.

While most of the spam emails follow the classic ZIP -> JavaScript -> PowerShell trick, security researchers also reported seeing some Cerber operators experimenting with other email attachment types.

The most prevalent of these experimental tricks was via self-extracting archives (SFX files), which unzipped and executed a collection of VBS and DLL files for a pretty intricate attack chain.

Simpler infection methods were also spotted, when some Cerber operators took a page out of Locky's book and started distributing HTML application (HTA) files and even binary (BIN) files to infect victims.

According to Trend Micro, a reason for this surge in different distribution tactics is that Cerber became very popular on the underground market, where its operators have been selling access to their RaaS (Ransomware-as-a-Service) portal, especially since March.

This Cerber RaaS, the new Cerber 6 version, and the Necurs botnet downtime were one of the main factors why Cerber became the most popular variant on the ransomware scene last month.

New encryption routine

But running the most successful ransomware operation on the market is hard. The Cerber source code and the infrastructure used to deliver it are constantly under surveillance and scrutiny.

To keep security researchers away, most professional ransomware operations evolve every few months. We've seen this with CryptoLocker, TeslaCrypt, Locky, and we're now seeing it with Cerber.

The biggest change in the Cerber 6 version is its new encryption routine which now uses Microsoft's Cryptographic Application Programming Interface (CryptoAPI), similar to Spora.

Cerber gets anti-VM and anti-sandboxing features

Another major new feature discovered in Cerber 6 is the addition of anti-VM and anti-sandboxing techniques to detect when security researchers or security products are trying to identify a Cerber infection.

These new features, along with the introduction of a time delay before the execution of the actual Cerber payload makes detecting infections much harder.

In late February, in an earlier version, Cerber started avoiding encrypting files belonging to antivirus programs. Starting with version 6, Cerber blocks the execution of EXE files belonging to security software via Windows firewall rules.

Cerber is by far the most sophisticated threat

All of these new features show that the Cerber crew is taking ransomware development to the next level. While Verizon and Proofpoint highlighted in recent reports that the number of ransomware families kept going up, most of those are just junk products, mostly based on low-quality open-sourced code.

On the other hand, Cerber is using high-tech features and has also cannibalized the distribution market, making it by far the most dangerous ransomware on the market today, regardless of how many new ransomware variants other security companies spot.

At the time of writing, there is no known way to defeat the Cerber 6 encryption and recover files.

Below is a table put together by Trend Micro, showcasing Cerber's evolution across all its versions.

  Cerber v1, v2 and v3 Cerber v4 Cerber v5 Cerber SFX Cerber v6
File Type EXE EXE EXE SFX (Loader) VBS, DLL EXE
Exceptions (Cerber doesn’t execute if it detects certain components in the system) Language in v1 and v3*

 

Language and antivirus (AV) for v2*

Language* Language* AV, VM, Sandbox (Loader*), and Language* Language*
Anti-AV Routine None None None None EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*
Anti-sandbox None None None VM and Sandbox (Loader*) VM and Sandbox (Loader*)
Backup Deletion Yes (vsadmin, WMIC, BCDEdit)* Yes (WMIC)* Yes (WMIC)*

 

Removed in v5.02

 Varies (some samples have backup deletion capabilities) Varies (some samples have backup deletion capabilities)
Exclusion List 
(directories and file types Cerber doesn’t encrypt)
Folder and file* Folder and file* Folder and file*; and AV, Antispyware, and Firewall directories Folder and file*; and AV, Antispyware, and Firewall directories Folder and file*

* option can be configured by customers of Cerber RaaS