Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files
Possibly to maximize the earning potential of Cerber’s developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files. These repositories of organized data enable businesses to store, retrieve, sort, analyze, and manage pertinent information. When utilized effectively they help maintain the organization’s efficiency, so holding these mission-critical files hostage can adversely affect the business’s operations and bottom line.
A known ransomware peddled as a turnkey service to budding cybercriminals, Cerber has metamorphosed into a myriad of versions throughout its lifecycle. It picked up more tricks along the way, some of which include integrating a DDoS component, using double-zipped Windows Script Files, and leveraging a cloud productivity platform, even serving as secondary payload for an information-stealing Trojan.
The ransomware’s constant updates also reflect how active its developers are, and how its distributors see it as a lucrative business. An earlier version was updated to 4.1.5 within a day, for instance. Cerber’s developers, who rake in 40% in commissions from affiliates, earned almost $200,000 in July this year alone.
Figure 1. Compared to other variants, Cerber 4.1.5 demands a cheaper ransom amount.
Encryption of database files is not unique to Cerber. The first half of 2016 saw the emergence of families such as crypJOKER (RANSOM_CRYPJOKER.A), SURPRISE (RANSOM_SURPRISE.A), PowerWare (RANSOM_POWERWARE.A), and Emper (Ransom_EMPER.A) that included database-related extensions to their list of files to encrypt. Some of these include files from dBASE (.dbf), Microsoft Access (.accdb), Ability Database (.mdb) and OpenOffice (.odb). Given how crucial database files are for enterprises, adding them to Cerber’s list of file types to encrypt can be seen as its developers’ way to make ransom payment more urgent and expedient for the victims.
Cerber 4.1.0, 4.1.4, and 4.1.5, like its other variants (Ransom_CERBER.CAD, Ransom_CERBER.A), is coded to steer clear of devices and systems configured in certain languages. It uses the API, GetKeyboardLayoutList, to retrieve the languages set, and the ransomware terminates itself if it detects any of these languages: Russian, Ukranian, Belarusian, Tajik, Armenian, Zeri Latin, Georgian, Kazakh, Krygyz Cyrillic, Turkmen, Uzbek Latin, Tatar, Romanian Moldova, Russian Moldova, Azeri Cyrillic, and Uzbek Cyrillic. Our monitoring bear out this behavior: from March to mid-November this year, most of Cerber detections were observed in the U.S., Taiwan, Germany, Japan, Australia, China, France, Italy, Canada, and South Korea.
Figure 2. Sample Cerber-toting spam email
Infection Vectors/Distribution
The infection vector for one of the latest samples we analyzed is spam email that spoofs an online payment service provider, exploiting user trust with notifications of exceeded credit line. Recipients of the spam email are then prodded to authenticate their accounts.
The spam email has two ways of successfully infecting the system: a malicious link that downloads the ransomware, and a .zip file containing malicious JavaScript. Other spam emails we saw posed as an invoice whose attachments are randomly-named Word documents embedded with a malicious macro that downloads and helps execute the ransomware. Cerber’s operators are also known to employ exploit kits—Rig, Neutrino and Magnitude—for further distribution.
Figure 3. Cerber’s latest version is configured to also infect RAM disks
Database File Encryption
Aside from encrypting files on fixed and removable drives, Cerber infects files on shared network folders. Interestingly, Cerber also targets files stored on RAM disks, which are memory modules dedicated and configured for storage.
Delving into how Cerber encrypts database-related files, we found that this specific routine was already present in versions as early as 4.0, which we’ve seen delivered by the Pseudo-Darkleech campaign. Cerber also keeps a list of file paths to skip during encryption—including Microsoft SQL Server and email clients. If the database server is directly mapped to a shared folder, however, Cerber will encrypt files saved on it.
Cerber also terminates database software-related processes before running its encryption routine. This ensures encryption of the files, as the system’s OS blocks write access to the file if they are already running. Cerber 4.1.5’s configuration file has a long list of file types to encrypt, including those from Microsoft Access, Oracle, MySQL, and SQL Server Agent, as well as files related to accounting, payroll, and healthcare database software. Comparison of the configuration files of Cerber 4.1.0, 4.1.4 and 4.1.5 also showed that the variants seek the same database-related files.
| Programs Associated with the File Extension | Extensions |
| Microsoft Access | .accdb, .accde, .accdr, .accdt, .adp, .odc |
| Alpha Five, Ability Database | adb |
| Advantage Database Server, Progress Database | .ai |
| Oracle | .al |
| Backup copy | .bak |
| Microsoft Works, Blaise Database | .bdb |
| Cardscan card database, Pocket Access, Database, Borland Turbo C main database file, Symbian OS contact database file, Cleaner trojan database file | .cdb |
| SQLite 3 File | .cls |
| Comma-separated Value | .csv |
| Clarion | .dat |
| ANSYS, Arcview, dBASE IV,dBFast, iRiver Plus3 | .db |
| MSQLite Database | .db_journal |
| dBASE III, SQLite | .db3 |
| CBDF, iAnywhere, AlphaFive, ACT!, Psion Series 3, NovaBACKUP | .dbf |
| Database Index | .dbx |
| EstImage Database, Euphoria Database System | .edb |
| Ruby SQL File | .erbsql |
| Fiasco Database, FlexyTrans Database, FlukeView Database, Firebird Database, FoxPro Database, Legacy Family Tree Database, Navison Financials Database, FeedDemon SQLite Data File | .fdb |
| IDEA! Project Management Database | .ibd |
| MySQL InnoDB | .ibz |
| Symantec Q&A Relational Database | .idx |
| KeePass Password Database | .kdbx |
| Kaspersky Virus Database | .kdc |
| SQLite | .litesql |
| Database Index | .mbx |
| NEi Nastran Modal Database, Microsoft Access | .mdb |
| IBM Powerplay | .mdc |
| SQL Server Master Database | .mdf |
| MYSQL Database | .myd |
| Lotus Notes Database | .ns2, .ns3, .ns4, .nsf, .nsg, .nsh |
| NRG Site Database | .nsd |
| NexusDB Database | .nx2 |
| Mybase Database | .nyf |
| Organizers Database, Arcview Object Database | .odb |
| Palm OS Database, Pegasus Database, QuickPOS Database, Visual C++/.NET Program Database,BGBlitz Position Database, Martini Personal Database | .pdb |
| PostGRESQL | .pdd |
| SQL Server Master Database | .mdf |
| Password Safe Database | .psafe3 |
| Redis Database, Oracle, Value Navigator Database, Darkbot Random Database, Zonealarm Mailsafe Database, OpenOffice Database | .rdb |
| SQLite 3.0 Database | .s3db |
| Windows Compatibility Solution Database, yEncExpress Databas, Windows Security Database, SideKick 2 Database, Summer Camp Scheduler Database, Windows2000 Security Configuration and Analysis Database, SQLite Database, OpenOffice Base Database, ServerBoss Database, AutoDesk Survey Database, AutoCAD Civil 3d Survey Database | .sdb |
| Microsoft SQL | .sdf |
| Structured Query Language Data | .sql |
| SQLite Database | .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal |
| Concordance Full Text Database | .tex |
| User Database | .usr |
Figure 4. Folders skipped by Cerber during encryption
Figure 5. Snapshot of processes terminated by Cerber
Mitigation
Ransomware’s evolving tactics, techniques and procedures are signaling a shift towards attacks to businesses of all sizes that can lead to disruption to operations and higher downtime expenses. Regularly backing up important corporate assets can mitigate Cerber’s adverse effects. Many ransomware variants also leverage privileged/administrator accounts to run their malicious routines, such as terminating processes, so a sound privilege management policy helps limit the malware’s entry points for infection. Users and businesses can also benefit from a multilayered approach to security—from the gateway, endpoints, networks, and servers.
TippingPoint customers are protected from Cerber attacks with this MainlineDV filter:
- ThreatDV 25841: UDP: Ransom_HPCERBER.SM6 (Cerber) Checkin
PROTECTION FOR ENTERPRISES
-
Email and Gateway Protection
Trend Micro Cloud App Security, Trend MicroTM Deep DiscoveryTM Email Inspector and InterScanTM Web Security addresses ransomware in common delivery methods such as email and web.
Spear phishing protectionMalware SandboxIP/Web ReputationDocument exploit detection
-
Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
Ransomware Behavior MonitoringApplication ControlVulnerability ShieldingWeb Security
-
Network Protection
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Network Traffic ScanningMalware SandboxLateral Movement Prevention
-
Server Protection
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.
Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
-
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Ransomware behavior monitoringIP/Web Reputation
-
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
IP/Web ReputationRansomware Protection
Indicators of Compromise (IoCs):
Cerber dropped via malicious sites:
hxxp://martialartmuscle.com/wp-includes/images/media/css/fx.exe
Cerber dropped by exploit kits:
0a6ec6a46e66863e48a05058963d9babf2c2b911 — Cerber 4.1.0
fddb48d4910adc0aa75b9529a90e11dac62c41ce — Cerber 4.1.1
620dca44514ee1d440867285bbb2a73a35303876 — Cerber 4.1.3
8185e5477e29b1095f5fc42197baddac56fb44d2 — Cerber 4.1.4
317b1dea823f942061f1f8c6612ef745704c9962 — Cerber 4.1.5
Cerber dropped via spam emails:
cc8f31bb926f862b3c5360e33c32134b871008de — Ransom_CERBER.F116K8 (Cerber 4.1.5)
9d48589dc1e202847980004f8290cd12289f7a5c — Ransom_CERBER.F116K7 (Cerber 4.1.3)
66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Cerber 4.1.0
Websites accessed by HTML files that Cerber drops in the system:
hxxp://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
hxxp://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
hxxps://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Ransom_HPCERBER.SM6
aa3fc1d5a79e1d43165b5556bae2669fd68455508bb667a457fa3dfd25b6222e (SHA256) — Ransom_HPCERBER.SM6
Malware accomplice:
hxxp://xrhwryizf5mui7a5.15ktsh.top/
hxxp://xrhwryizf5mui7a5.uhi7to.bid/
hxxp://xrhwryizf5mui7a5.onion.to/
hxxp://vyohacxzoue32vvk.onion/
Additional analysis/insights by Joseph C. Chen, Jon Oliver, and Chloe Ordonia
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files
Read more: Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files