Cerber was only created early this year, but the ransomware has gone through metamorphoses on a number of occasions during its short lifespan. The changes included the hackers altering the coding scheme in order to evade decryption attempts.
Apart from putting the effort to make the code difficult to crack, the developers of Cerber have also switched distribution mechanisms. The longer an infection is active, the more likely it is for users to become wise to its propagation vectors.
The work of the cyber criminals has paid dividends, as Cerber is believed to accumulate a revenue of $2.3 million USD annually. The virus is spread on a global scale. The estimates are that it has already been able to infect hundreds of thousands of devices.
Cerber has been named after a mythological guardian of the underworld. The Greek mythology tells about a three-headed dog which guards the gates to the realm of the afterlife. The people behind the ransomware acknowledged the Greek folklore in a way, as the modifications went through a notable change after the third build.
The latest two reincarnations were discovered by Check Point researchers last week. The versions in question are 5.0 and 5.0.1. Upon analyzing the software, experts reported their findings to the public. The updated variants of Cerber use different IP ranges and encryption patterns. The most remarkable alteration, though, is in the distribution techniques.
Researchers at Cisco Talos identified a spam email campaign, spreading Cerber 5.0.1. Monitoring the distribution process, the experts made intriguing revelations. They found that the ransomware uses a chain of sources for its distribution.
The first step is a spam message regarding pictures, order details, transaction logs or loan acceptance letters. The email lists the name of the recipient in the subject line, hinting that the cyber criminals do research on their victims.
The bogus notifications do not contain the files of Cerber. Their purpose is to redirect the user. The emails contain a false link to google.com. Clicking on it would take you to a Google redirect page, rather than the homepage.
The misleading web page contains a link to the Tor domain. The phrase “onion.to” is included in the malicious link. When the user follows it, the Tor2web proxy service redirects him to the Tor network. At the same time, a text document is downloaded to his machine. Tor2web gives the ability to access the Tor network without installing an official client.
The Tor page downloads a Word document. The file is stated to contain protected content. When you open it, you will be asked to enable macros in order to view the information. If you allow the rogue macro to run, it will prompt the Windows Command Processor to execute PowerShell. This process will download and install Cerber to your device. Tor2web also prompts the download of the malware binary from the Tor network.
When the virus has encrypted the vulnerable files, it drops a ransom note to report the message of the cyber criminals. Victims are required to pay a ransom of $1,000 USD to have their data restored. The decryption tool for the ransomware is called Cerber Decryptor. If the victim does not complete the transaction within 5 days, the amount would be doubled.
Cisco Talos dedicated a blog post to the latest version of Cerber. The publication includes details on how the virus is distributed. The researchers explained that the propagation vector the hackers have adopted is quite efficient, as it can bypass security checks.
An extract from the publication elaborates: “Additionally, as the actual malicious file is hosted on a server within the Tor network, it is significantly less likely that the malicious file will be removed or taken down like it would be if hosted traditionally on the internet via malicious or compromised web servers. It also allows the attackers to modify the redirection chain quickly and easily to attempt to evade reputation based blacklisting technologies.”
Cerber has proven to be a resilient infection, as only the first two versions of the program have been cracked thus far. Security specialists discovered a weakness in the code schemes of these variants in mid-August and exploited it. The faulty code was fixed in the next modification of the ransomware. Malware experts are still working on decryption tools for the later versions of Cerber.