MSRT July 2016 – Cerber ransomware
As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features.
We started seeing Cerber in February 2016, and since then it has continuously evolved and is now one of the most encountered ransomware families – beating both Exxroute and Locky. The evolution is mostly based around the way in which Cerber is being distributed – with a focus on exploit kits, compromised websites, and email distribution.
When looking at data for the past 30 days, Cerber is the most detected ransomware, taking over a quarter of all ransomware infections.
Ransomware family | Share |
Cerber | 25.97% |
Exxroute | 15.39% |
Locky | 12.80% |
Brolo | 11.66% |
Crowti | 9.97% |
FakeBsod | 9.19% |
Teerac | 3.94% |
Critroni | 3.72% |
Reveton | 2.86% |
Troldesh | 1.21% |
Ranscrape | 1.18% |
Sarento | 0.76% |
Urausy | 0.70% |
Genasom | 0.65% |
Cerber is especially prevalent in the US, Asia, and Western Europe.
However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines:
Cerber infection chain
Cerber can enter your system or PC either through downloaders from spam email or exploits on malicious or compromised sites.
When delivered via spam, we’ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where’s the macro?“, and we’ve previously talked about how macros have been used to deliver malware (although new features in Office 2016 has seen a decrease in macro-based malware).
In this case, we’ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We’ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.
The other infection vector – exploit kits – occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.
Neutrino, Angler, and Magnitude exploit kits have been identified as distributing Cerber.
Cerber updates
As with most other encryption ransomware, Cerber encrypts files and places “recovery” instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.
Cerber, however, also includes a synthesized audio message.
We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware“.
There have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.
Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don’t mention the payment of fees or ransom to decrypt your files.
Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:
The Cerber desktop wallpaper has also been updated:
Prevention
To help stay protected:
- Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
- Regularly back-up your files in an external hard-drive
- Download and apply security patches associated with the exploit kits that are known to distribute this ransomware (for example: Neutrino).
- Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
- Use OneDrive for Business
- Beware of phishing emails, spams, and clicking malicious attachment
- Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
- Disable the loading of macros in your Office programs
- Disable your Remote Desktop feature whenever possible
- Use two factor authentication
- Use a safe Internet connection
- Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)
Detection
- Ensure your antimalware protection (such as Windows Defender) is up-to-date and working correctly.
- Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based ransomware detection and blocking.
Recovery
In the Office 365 blog “How to deal with ransomware“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.
You can also use OneDrive and SharePoint to backup and restore your files:
- OneDrive for Business and SharePoint:
- OneDrive for home users:
Carmen Liang and Patrick Estavillo MMPC