Cerber Ransomware

VeritiesVerities Member Posts: 1,162
Any of you security nuts hear of breakthroughs or active projects on decrypting files affectd by Cerber ransomware?

Comments

  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    https://noransom.kaspersky.com/

    may be your best bet
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
    I prefer https://www.nomoreransom.org/ but likely the same thing?

    Looks like you can even upload a sample and it'll detect the variant.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • VeritiesVerities Member Posts: 1,162
    Thanks guys, I'll check this out.
  • beadsbeads Senior Member Member Posts: 1,511 ■■■■■■■■■□
    So you now have a system with files rapidly developing the .cerber extension?

    Seeing crypto virii about once every other week.

    General rules.

    1.) Unplug from network but leave the power on - never reboot.

    2.) Use a brand new never used USB for any anti-malware products intended to clean the target (if any).

    3.) Forensics are your friend! If nothing else you can figure out the last 15 or so opened files from the registry. You can set this up to record more but whats the point. Gives you a starting point and with a little luck the infection point so you can send the file off to VirusTotal or noramsom.org, etc.

    4.) Learn to look for those early signs of infection and don't rely on your A/V to find it first. Look for new wallpaper(s) (Locky), extensions (.cerber, XXX, etc.) These malware are changing so fast that its still taking new samples over a week to be submitted. See below for explanation.

    Yes, follow all the other advice about backing up, not opening strange attachments, etc. found on other sites. Its all good stuff as well.

    A week to submit new sample(s).

    The toughest one I have seen was an invoice scraped and copied from a real organization invoice. Doctored up, changed ever so slightly, put into a .zip and sent back to the same client as a "revised" invoice. We're talking a perfect match ABA routing numbers, invoice number etc. All in a shinny new .zip file. Problem was it also contained a new crypto-locker variant previously unseen. This one took some work to find as it was remote. A couple of days later I got all the information out of the registry and sent it off.

    Nasty piece of work but you can defeat these things if you catch them early in the propagation. Once you reboot the second time your going to see the ransom pop up.

    Come to think of it this would make for a good sub certification: "Early crypto detection" or some such. icon_thumright.gif

    Good luck and assume this to be the new norm.

    - b/eads
  • VeritiesVerities Member Posts: 1,162
    Beads, thanks for all the ideas and insight. This didn't occur on my work network, it happened to my Wife's laptop while she was doing work related duties remotely. She does pre-screens for applicants including reviewing resumes and cover letters. I asked her if any strange files or emails were received the day prior to the infection and she said there was a pdf doc that was password protected. The password was provided in the email and the email looked legitimate, unfortunately there was nothing in the "pdf" so I believe it wasn't a file but the ransomware package. I've seen other HR people get infections on their computers when I did tech support years ago and it was almost the same attack except it was a trojan.

    When I looked at her computer initially this past weekend, I turned off wifi and used a crap USB with some anti-malware software on it. Unfortunately, there were no backups present and from my research, this ransomware is so new, no one has come out with a way to decrypt the data. Paying the ransom was out of the question; I refuse to pay these criminals and propagate their business. I'll let the laptop sit there doing nothing, now that I've removed the infection. I will wait until someone offers a free way to decrypt the data.

    The failure of the situation was in two parts: lack of user training and poor email filtering. I told her boss, whom we have a good relationship with, that there has to be a better system in place because if this occurred on one of their actual work computers it could have been much worse and since the attackers were successful once, they'll most likely send more malware to their HR email. She agreed and the 1 full time IT guy is going to be notified about it. I also told her if the IT guy needs help implementing something or ideas on how to provide a more secure way for the job to be done, to call me.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    For the future either use some less popular viewer to review pdf files such as Foxit or pay attention to updating your Acrobat DC reader on time. Also make sure that her MS Office is updated as well.

    We had cerber a couple of times, a typical crypto ransomware, nothing fancy.

    IF she had UAC enabled (if not -- make sure that it's enabled for the future) and DID NOT agree with a privilege elevation message box when cerber suggested to destroy her shadow copies then i'm sure you can restore everything from shadow copies.

    Just make sure that you restore everything to another hard drive or flash drive and DO NOT put any more data on a source hard drive as windows can decide to destroy shadow copies on its own if it feels that the disk is running out of free space.
  • VeritiesVerities Member Posts: 1,162
    The advice is much appreciated gespenstern. UAC is enabled on the laptop, but there's actually a file that tricks the UAC to elevating privileges (unless UAC is set to the highest level), so it doesn't matter from that standpoint. However, there were never any backups done so there are no shadow copies and if there were they were removed since I couldn't find anything with shadow explorer.

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    Well, feel sorry for your information loss. You can prove/refute that the shadow copies were destroyed by cerber as the command the bad guys use here is either vssadmin with delete shadows option or wmic command which does the same. Both leave traces in prefetcher log and unless it was rolled over already you can retrieve the command they used with Nir Sofer's lastactivityview which is free or other prefetcher forensics tool of your choice.

    I don't believe that a properly updated windows 7 and higher wouldn't have any shadows as they are created automatically on their own, whenever patches get installed and some other cases automatically without explicit user's consent. A simple command to check for shadow copies presence is vssadmin list shadows. The only exception here would be is if the disk is almost full and doesn't have much free space left.

    Also, all cmd/bat/powershell commands could have been logged but this audit setting isn't default, so it's unlikely. I, however, recommend everyone to enable this type of auditing.
  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,000 ■■■■■■■■□□
    Would not having administrator privileges to the computer offer some protection from Ransom where? Wouldn't the ransom wear just encrypt the files under the users profile leaving the other profiles and system files alone?
    Still searching for the corner in a round room.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    The only big thing for ransomware authors is deleting shadow copies and it requires admin rights and pops up UAC escalation box even if a user is an admin.

    I never saw them encrypting files in other user profiles, but probably I just didn't pay attention as vast majority of infections happens on endpoints and I'm yet to see our citrix farms getting infected with it, in this case it could present a problem but of course everybody except citrix and infrastructure admins is a user on a citrix host...

    And they almost never encrypt system files, so it is of no help, they want to lock user's data, not system files. The exception is Petya which requires admin rights as it encrypts MFT and MFTmirror.

    So more or less revoking admin rights does little to prevent this from happening.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    The only big thing for ransomware authors is deleting shadow copies and it requires admin rights and pops up UAC escalation box even if a user is an admin.

    I thought I heard somewhere the new ransomware encrypts the shadow copies as well (I could be wrong with that tho, just thought I heard that somewhere)

    I actually haven't seen a ransomware infection in awhile and when I did, I just restored the shadows copies
Sign In or Register to comment.