Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

Possibly to maximize the earning potential of Cerber’s developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files. These repositories of organized data enable businesses to store, retrieve, sort, analyze, and manage pertinent information. When utilized effectively they help maintain the organization’s efficiency, so holding these mission-critical files hostage can adversely affect the business’s operations and bottom line.

A known ransomware peddled as a turnkey service to budding cybercriminals, Cerber has metamorphosed into a myriad of versions throughout its lifecycle. It picked up more tricks along the way, some of which include integrating a DDoS component, using double-zipped Windows Script Files, and leveraging a cloud productivity platform, even serving as secondary payload for an information-stealing Trojan.

The ransomware’s constant updates also reflect how active its developers are, and how its distributors see it as a lucrative business. An earlier version was updated to 4.1.5 within a day, for instance. Cerber’s developers, who rake in 40% in commissions from affiliates, earned almost $200,000 in July this year alone.


Figure 1. Compared to other variants, Cerber 4.1.5 demands a cheaper ransom amount.

 

Encryption of database files is not unique to Cerber. The first half of 2016 saw the emergence of families such as crypJOKER (RANSOM_CRYPJOKER.A), SURPRISE (RANSOM_SURPRISE.A), PowerWare (RANSOM_POWERWARE.A), and Emper (Ransom_EMPER.A) that included database-related extensions to their list of files to encrypt. Some of these include files from dBASE (.dbf), Microsoft Access (.accdb), Ability Database (.mdb) and OpenOffice (.odb). Given how crucial database files are for enterprises, adding them to Cerber’s list of file types to encrypt can be seen as its developers’ way to make ransom payment more urgent and expedient for the victims.

Cerber 4.1.0, 4.1.4, and 4.1.5, like its other variants (Ransom_CERBER.CAD, Ransom_CERBER.A), is coded to steer clear of devices and systems configured in certain languages. It uses the API, GetKeyboardLayoutList, to retrieve the languages set, and the ransomware terminates itself if it detects any of these languages: Russian, Ukranian, Belarusian, Tajik, Armenian, Zeri Latin, Georgian, Kazakh, Krygyz Cyrillic, Turkmen, Uzbek Latin, Tatar, Romanian Moldova, Russian Moldova, Azeri Cyrillic, and Uzbek Cyrillic. Our monitoring bear out this behavior: from March to mid-November this year, most of Cerber detections were observed in the U.S., Taiwan, Germany, Japan, Australia, China, France, Italy, Canada, and South Korea.


Figure 2. Sample Cerber-toting spam email

 

Infection Vectors/Distribution

The infection vector for one of the latest samples we analyzed is spam email that spoofs an online payment service provider, exploiting user trust with notifications of exceeded credit line. Recipients of the spam email are then prodded to authenticate their accounts.

The spam email has two ways of successfully infecting the system: a malicious link that downloads the ransomware, and a .zip file containing malicious JavaScript. Other spam emails we saw posed as an invoice whose attachments are randomly-named Word documents embedded with a malicious macro that downloads and helps execute the ransomware. Cerber’s operators are also known to employ exploit kits—Rig, Neutrino and Magnitude—for further distribution.


Figure 3. Cerber’s latest version is configured to also infect RAM disks

 

Database File Encryption

Aside from encrypting files on fixed and removable drives, Cerber infects files on shared network folders. Interestingly, Cerber also targets files stored on RAM disks, which are memory modules dedicated and configured for storage.

Delving into how Cerber encrypts database-related files, we found that this specific routine was already present in versions as early as 4.0, which we’ve seen delivered by the Pseudo-Darkleech campaign.  Cerber also keeps a list of file paths to skip during encryption—including Microsoft SQL Server and email clients. If the database server is directly mapped to a shared folder, however, Cerber will encrypt files saved on it.

Cerber also terminates database software-related processes before running its encryption routine. This ensures encryption of the files, as the system’s OS blocks write access to the file if they are already running. Cerber 4.1.5’s configuration file has a long list of file types to encrypt, including those from Microsoft Access, Oracle, MySQL, and SQL Server Agent, as well as files related to accounting, payroll, and healthcare database software. Comparison of the configuration files of Cerber 4.1.0, 4.1.4 and 4.1.5 also showed that the variants seek the same database-related files.

Programs Associated with the File Extension Extensions
Microsoft Access .accdb, .accde, .accdr, .accdt, .adp, .odc
Alpha Five, Ability Database adb
Advantage Database Server, Progress Database .ai
Oracle .al
Backup copy .bak
Microsoft Works, Blaise Database .bdb
Cardscan card database, Pocket Access, Database, Borland Turbo C main database file, Symbian OS contact database file, Cleaner trojan database file .cdb
SQLite 3 File .cls
Comma-separated Value .csv
Clarion .dat
ANSYS, Arcview, dBASE IV,dBFast, iRiver Plus3 .db
MSQLite Database .db_journal
dBASE III, SQLite .db3
CBDF, iAnywhere, AlphaFive, ACT!, Psion Series 3, NovaBACKUP .dbf
Database Index .dbx
EstImage Database, Euphoria Database System .edb
Ruby SQL File .erbsql
Fiasco Database, FlexyTrans Database, FlukeView Database, Firebird Database, FoxPro Database, Legacy Family Tree Database, Navison Financials Database, FeedDemon SQLite Data File .fdb
IDEA! Project Management Database .ibd
MySQL InnoDB .ibz
Symantec Q&A Relational Database .idx
KeePass Password Database .kdbx
Kaspersky Virus Database .kdc
SQLite .litesql
Database Index .mbx
NEi Nastran Modal Database, Microsoft Access .mdb
IBM Powerplay .mdc
SQL Server Master Database .mdf
MYSQL Database .myd
Lotus Notes Database .ns2, .ns3, .ns4, .nsf, .nsg, .nsh
NRG Site Database .nsd
NexusDB Database .nx2
Mybase Database .nyf
Organizers Database, Arcview Object Database .odb
Palm OS Database, Pegasus Database, QuickPOS Database, Visual C++/.NET Program Database,BGBlitz Position Database, Martini Personal Database .pdb
PostGRESQL .pdd
SQL Server Master Database .mdf
Password Safe Database .psafe3
Redis Database, Oracle, Value Navigator Database, Darkbot Random Database, Zonealarm Mailsafe Database, OpenOffice Database .rdb
SQLite 3.0 Database .s3db
Windows Compatibility Solution Database, yEncExpress Databas, Windows Security Database, SideKick 2 Database, Summer Camp Scheduler Database, Windows2000 Security Configuration and Analysis Database, SQLite Database, OpenOffice Base Database, ServerBoss Database, AutoDesk Survey Database, AutoCAD Civil 3d Survey Database .sdb
Microsoft SQL .sdf
Structured Query Language Data .sql
SQLite Database .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal
Concordance Full Text Database .tex
User Database .usr

 


Figure 4. Folders skipped by Cerber during encryption


Figure 5. Snapshot of processes terminated by Cerber

Mitigation

Ransomware’s evolving tactics, techniques and procedures are signaling a shift towards attacks to businesses of all sizes that can lead to disruption to operations and higher downtime expenses. Regularly backing up important corporate assets can mitigate Cerber’s adverse effects. Many ransomware variants also leverage privileged/administrator accounts to run their malicious routines, such as terminating processes, so a sound privilege management policy helps limit the malware’s entry points for infection. Users and businesses can also benefit from a multilayered approach to security—from the gateway, endpoints, networks, and servers.

TippingPoint customers are protected from Cerber attacks with this MainlineDV filter:

  • ThreatDV 25841: UDP: Ransom_HPCERBER.SM6 (Cerber) Checkin

PROTECTION FOR ENTERPRISES

  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

 

Indicators of Compromise (IoCs):
Cerber dropped via malicious sites:
hxxp://martialartmuscle.com/wp-includes/images/media/css/fx.exe

Cerber dropped by exploit kits:
0a6ec6a46e66863e48a05058963d9babf2c2b911 — Cerber 4.1.0
fddb48d4910adc0aa75b9529a90e11dac62c41ce — Cerber 4.1.1
620dca44514ee1d440867285bbb2a73a35303876 — Cerber 4.1.3
8185e5477e29b1095f5fc42197baddac56fb44d2 — Cerber 4.1.4
317b1dea823f942061f1f8c6612ef745704c9962 — Cerber 4.1.5

Cerber dropped via spam emails:
cc8f31bb926f862b3c5360e33c32134b871008de — Ransom_CERBER.F116K8 (Cerber 4.1.5)
9d48589dc1e202847980004f8290cd12289f7a5c — Ransom_CERBER.F116K7 (Cerber 4.1.3)
66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Cerber 4.1.0

Websites accessed by HTML files that Cerber drops in the system:
hxxp://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
hxxp://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
hxxps://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt

66c9ccca850929f1d4b7b07cb5dd0be4a50a73f7 — Ransom_HPCERBER.SM6
aa3fc1d5a79e1d43165b5556bae2669fd68455508bb667a457fa3dfd25b6222e (SHA256) — Ransom_HPCERBER.SM6

Malware accomplice:
hxxp://xrhwryizf5mui7a5.15ktsh.top/
hxxp://xrhwryizf5mui7a5.uhi7to.bid/
hxxp://xrhwryizf5mui7a5.onion.to/
hxxp://vyohacxzoue32vvk.onion/

Additional analysis/insights by Joseph C. Chen, Jon Oliver, and Chloe Ordonia

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

Read more: Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

Incoming search terms

Story added 22. November 2016, content source with full text you can find at link above.