Cerber: What You Need to Know

We have noticed an increase in incidents of malware like Cerber, a new type of ransomware that is embedded as a malicious email attachment - usually as a .doc or .zip file. Once the attachment is opened, the program encrypts all of the files it can access, renames them with a .cerber extension, and displays a ransom message directing users to purchase decryption software via BitCoin for a U.S. equivalent of over $500. During encryption, Cerber creates three different files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, and #DECRYPT MY FILES#.vbs) that contain step-by-step payment instructions. The messages within these files state that users can only decrypt their files using decryption software developed by the cybercriminals (called 'Cerber Decryptor').

The #DECRYPT MY FILES#.vbs file contains a VBScript, which when executed, plays the message, “Your documents, databases and other important files have been encrypted!” through the computer speakers. The messages also state that the ransom amount will double after seven days, and that payment must be processed through the Tor browser. 

 

There is a similar type of ransomware called DMA Locker making rounds, and like Cerber it shows up as a malicious email attachment – this program usually uses a PDF icon.

When the attachment is opened, it downloads several files (%ALLUSERSPROFILE%\cryptinfo.txt, %ALLUSERSPROFILE%\select.bat, %ALLUSERSPROFILE%\svchosd.exe, and %USERPROFILE%\Start Menu\Programs\Startup\x.vbs) and runs a script to encrypt your files including those on any temporary storage devices that may be plugged into your computer. A ransom message displays on the screen stating that one BitCoin must be paid to address "1C8yA7wJuKD4D2giTEpUNcdd7UNExEJ45r" to unlock the encrypted files, and the ransom amount will increase after a certain amount of time.

 

Our technicians have taken several measures to help avoid this type of attack, including blacklisting the suspicious file names, ensuring that our anti-virus software is updated, and executing a script to search all supported computers every 30 minutes for files with any known ransomware extensions. There are some steps you can take as well to prevent this from happening to your business:

  • Never open an email or attachment from someone you don’t know.
  • Make sure you have updated, functional firewall and security software.
  • Set security policies for your business, and make sure all employees are informed.
  • Back up your files regularly – this is how you can avoid having to pay cybercriminals to get your files back.
  • Purchase services by Malwarebytes, an advanced security program that actively scans for, identifies, and targets potential threats. The Anti-Malware for Business program and the Endpoint Security program are available through AM Data Service for $3.50 each per month for each covered workstation, or you can combine these for the ultimate protection for just $5.50 total per month for each covered workstation – ask us about adding these to a Managed Service agreement.

If you have any questions or concerns about your network security, please call AM Data Service at 734-744-5300 to discuss additional security options.

Page: 12 - All