AVG security researcher Jakub Kroustek has recently discovered tracks of the Cerber 3 ransomware virus marking encrypted files with the .cerber3 file extension. Unlike previous variants of Cerber, for which decryptors have been already developed, this variant contains fixes that prevent malware researchers from decrypting the files.
Since this virus is a part of a RaaS scheme, its infections have risen rapidly over the past few months. In fact, malware researchers report that affiliates managed to reach 150,000 infected computers. July 2016 was one of the peak months for the Cerber variants, reaching up to $200,000 in monthly profit.
Each malicious campaign that distributes Cerber 3 is also reported to differ from its predecessors. For instance, Check Point malware researchers report that the highest impact regarding size and infections was on targeted computers that are located in Asia, more specifically China and South Korea.
To cause infections in those countries, the Cerber 3 ransomware used the Magnitude exploit kit which aims to detect weak points in a given operating system and exploit them, thus resulting in a successful attack.
After it has attacked a given computer, Cerber3 ransomware asks a ransom payment whose value is double that of the previous variant ($175 in BitCoin). This “request” is written in a ransom note that is published on a Tor-based web page aiming to scare users into paying the ransom:
“Your documents, photos, databases and other important files have been encrypted. To decrypt your files you need to buy the special software – <<Cerber Decryptor>>
“All transactions should be performed via Bitcoin network only.”
The message is accompanied by instructions on how to pay the ransom in bitcoin:
Q: What should I do if my computer is infected with Cerber 3 Ransomware?
A: In case your device has become a victim of this virus, you should immediately disconnect your computer from the internet and copy the encrypted files on a safe computer. From there, you can try to manually remove Cerber 3 and only then try to recover some of your lost data via a data recovery tool.
Q: How can I decrypt .cerber3 encoded files?
A: Cerber 3 is as impressive as it is devastating when it comes to file encryption. Its encryption module’s first action is to generate RSA 576-bit keys on the infected device. These keys are stored, and after successful encryption, they are used to decode and encode files. The decryption key for the encoded files is encrypted with the same cipher, but it is much stronger in bits – RSA-2048. The information for the decryption is then sent to the server of the cyber-criminals, who distribute the infection.
Unlike the keys, the encryption algorithm is RC4 (Rivest Cipher 4), the code for which leaked back in 1994. In size, this cipher may vary from 40 to 2048 bits. Cerber 3 is reported to use 128-bit key based on its advertisement. The algorithm is also known as a stream cipher, and many prefer it due to its fast encrypting speed (7 cycles per byte).
The worst part of it all is that each RC4 encrypted file generates its own key. For example, if you have 150 files, and they are encrypted, Cerber 3 will generate 150 unique keys. And this is not the bad news yet. The cherry on the cake is all of those keys are encrypted using the previously mentioned RSA-576 bit cipher.
This procedure immensely complicates the decryption process of files encrypted by this ransomware virus. It may take months if not years to decrypt one file and then more time to solve the riddle for the other files based on the initial information.
Q: How can I protect my files and my computer from Cerber 3?
A: To stay protected from Cerber 3, store your important files in a safe way. Also, download ransomware protection software to reduce the risk of a ransomware attack.
About the Author: Vencislav Krustev has a degree in Marketing and Value Chain Management and is currently accomplishing the Cisco CCNA engineering course for network and system administrators. He is passionate about cyber-security and malware research, which is why he dedicated a great deal of his time to gain experience in the cyber-security field. You can find him at SensorsTechForum.com – a blog and a forum on cyber security and threats – where he is researching solutions against malware infections from morning till dusk.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.