Cerber Ransomware Moves Fast Forward

Nowadays computer viruses are inevitable. Once they infiltrate your computer, the viruses affect its daily routine and keep you away from your files. Suddenly, all the simple things like accessing the Internet, opening a document and checking your email turn into something really hard to do. For that reason, it is very important for you to be aware of the different types of viruses that are capable of infecting your virtual machine. Knowing the virus type is always the first step towards eliminating it.

The term Cerber (Cerber Ransomware) seems closely related to the mythological Cerberus, the Greek dog that had three heads and that guarded the gates of the underworld such that the dead were allowed entry while none was granted exit. Following this principle, Cerber ransomware acts in a similar way, by allowing you to boot your system, though not to the point where you can access and use your files.

Despite the fact that Cerber ransomware is not a new kind of malware, it is an encryption ransomware type which encrypts the data files of a targeted computer with AES-256 encryption, adding the .cerber extinction to the file names. The malware targets wide arrays of file extensions, but extensions like bootsect.bak, thumbs.db, iconcache.db, and wallet.db are exempted from the encryption.

As soon as Cerber ransomware is downloaded into the targeted machine, it makes sure that the computer is not located in some selected European countries, and these are also exempted from the attack. After that, it installs itself into the Applications data folder, thereby giving itself a random windows executable.

After confirming that these countries are absent from the given list, Cerber ransomware proceeds to attack by adding a configuration in the operating system which makes the computer start up, though in safe mode only.

Besides, this configuration restricts how the boot sequence operates. Instead of the boot proceeding to completion and allowing you to access your computer desktop, the computer is forced to re-boot. This is made possible by the availability of a false system message written in the rogue code which tells the PC user that something is wrong and that the computer should start up again.

Upon the second start up, the boot sequence goes through with no hitches. This is when the malware executes itself to encrypt the attacked computer’s files using a JSON configuration for its setting.

Once the PC user gets to his desktop, he will see a message stating that his files were encrypted and that he would need to pay some amount to purchase the decryption key. Usually, the files which come under attack are text files (.txt), HTML files (.html) and Visual Basic Scripting files (.vbs).

The displayed message is in the form of notes, which also have a link to the website where the victim is expected to pay a specified amount of money for them to obtain the keys with which to decrypt the files. The ransom amount is paid with 1.24 Bitcoins, equivalent to $500.

In order to speed up the payments, the cyber criminals have given a deadline of seven days within which the payment is to be made, failure to which will lead to the doubling of the ransom amount.

Presently, the risk of getting attacked by the malicious threat is increasing due to the fact that Cerber is being sold as Ransomware as a Service (RaaS) by underground forums in Russia. This means that hackers, as well as other criminals with little knowledge on encryption and other technical computer functions, can easily purchase and launch attacks on vulnerable computer systems.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.