by RSS Sarah Wu, Jacob Leong  |  Dec 02, 2016  |  Filed in: Security Research

Introduction

A new update of Cerber Ransomware, Cerber 5.0.1, has just arrived, appearing shortly after Cerber 5.0.0. had been released. Cerber 5.0.1 handles multithreading differently when it comes to encrypting files, probably aiming for better performance. It also changes the instruction file name from “README.hta” to “_README_.hta”.  The intention of this might be to avoid simple AV detection, such as checking instruction file names. The major updates in the new version are described in the following sections. 

New in Cerber 5.0.1

After the encryption stage, the new Cerber 5.0.1 sample modifies the wallpaper and drops the instruction files to notify victims that they have been attacked. The version number “5.0.1” is now displayed on the wallpaper. And the instruction file name that used to be “README.hta” has been changed to “_README_.hta.”

Figure-1. Cerber 5.0.1 wallpaper and instruction filename

 

This version also abandons the "multithread" field in the configuration and handles file encryption differently as compared to previous versions. 

Figure-2.  Cerber 5.0.1 removed the “multithread” field

 

Ceber 5.0.1 also now creates a separate single thread for encrypting each drive.  Each thread is only responsible for encrypting the files in its corresponding drive. If a valid file is found, and certain conditions (such as min_file_size) are met, the thread will encrypt the file immediately.   

Figure-3. Flow chart of Cerber 5.0.1 file encryption

For previous versions (not including 5.0.0), the "multithread" field in the configuration controls the thread creation for encrypting files.  A list of files to be encrypted is first generated. Then Cerber creates a single thread or multiple threads for encrypting the files on the list, depending on the “multithread” value.  If the value is set to “1,” Cerber obtains the number of processors of the infected machine by calling the API GetSystemInfo and then creates two threads for every processor, for fetching and encrypting files from the list.  If the value is set to “0”, it only creates a single thread for fetching and encrypting files from the list without checking the number of processors. 

Figure-4. Flow chart of the old file encryption

The old way of searching for files in a victim’s machine and then generating a file list for encryption was done on a single thread, which was probably not the most efficient. However, the old way of encrypting different files can be done on different threads, depending on how many processors there are and what the value of the “multithread” field is. In contrast, the new approach appears to have better performance when searching for files since it is done on multiple threads if there are multiple drives. However, encrypting files for each drive still seems to be done on a single thread, which might not maximally utilize the processors of the infected machines.

Evolution of Cerber Since Version 4(X)

The history of Cerber evolution is presented in the table below.  The changes are observed from the configuration of different versions.  

CERBER EVOLUTION HISTORY

Version

Date

Modification

5.0.1

2016/11/24

1. The “multithread” field is removed from the configuration;

2. The instruction file name is changed from "README" to “_README_”

5.0.0

2016/11/23

The value of "bytes_skip" increases from 512 to 640 bytes. That is, the first 640 bytes will be skipped when the file is being encrypted.

4.1.6

2016/11/22

Suffix ".secret" is added to the file extension list.

4.1.5

2016/11/13

The min_file_size increases to 2560 bytes. That means, files that are smaller than 2560 bytes will not be encrypted.

4.1.3

2016/11/7

Two new IP ranges are added.

4.1.1

2016/10/31

Version number is updated.

4.1.0

2016/10/27

The knock message has an additional “status” field.

4.0.2

2016/10/19

To the best of our knowledge, version number is written on the desktop wallpaper of infected machine since this version.

4(X)

2016/10/4

Encrypted files are marked with a four-character extension which is the fourth segment of the “MachineGuid” [1].

Table-1.  Cerber evolution history

 

Conclusion

We have observed a lot of different versions of Cerber variant in these two months. Although Cerber updates its version quite frequently, there was no significant update until version 5. We will continue to track this family and share any new updates with our readers. Stay tuned!

References:

[1] https://blog.fortinet.com/2016/10/31/the-first-major-update-of-cerber-4-ransomware-has-surfaced

Sample Information

MD5: eaa48dabb2a6430436c2cedc06818cb0

SHA256: 993ee9f39003c5221f270846c0df668b4b3258e6f72ad6cc3c1f3e14c5f16ae9

Fortinet AV Detection: W32/Injector.KO!tr

by RSS Sarah Wu, Jacob Leong  |  Dec 02, 2016  |  Filed in: Security Research