Cerber ransomware talks to its victims

A new crypto ransomware, dubbed Cerber by its creators, has recently started targeting Windows users.

Cerber ransom note

The malware is relatively new, and its delivery method is still unknown, but according to Bleeping Computer‘s Lawrence Abrams, there are a couple of things that make it stand out from the other ransomware out there.

For one, it forces the computer to restart (while showing weirdly worded fake system shutdown alerts), then reboots into Safe Mode with Networking. Once the victim logs in, the malware reboots the system again, now in normal mode. Once the computer is up and running again, Cerber starts to encrypt files.

Secondly, one of the ransom notes it creates contains a VBScript, which results in the computer playing a voice message saying “Attention! Your documents, photos, databases and other important files have been encrypted!” repeatedly.

Aside from this, Cerber is like most ransomware:

  • It encrypts a wide variety of files on the system, unmapped Windows and network shares with AES-256 encryption, and appends the .cerber extension to them
  • Avoids infecting users in the majority of the post-Soviet states
  • Shows ransom notes with instructions on how to perform the payment (it initially asks for 1.24 Bitcoin), and offers the possibility to decrypt one file as a show of good faith.

Another interesting thing is that, according to cyber intelligence firm SenseCy, Cerber is not being propagated by its developers. Instead, they are offering it “as a Service” to visitors of a closed underground Russian forum.

This means that those who want to try their hand at ransomware-based cybercrime can use Cerber for free, but must give part of each ransom payment they receive to the malware creators.

So far, there is no way for victims to decrypt the files themselves, so they have to either pay the price and hope the criminals will send them the decryption key, or resign themselves to losing the files forever.

That’s, of course, if they don’t back up their files regularly. If they do, they can simply clean their machines (or have them cleaned), and restore the files from the most recent backup.