As with most other strains of ransomware, Cerber ransomware will encrypt your files, and hold them hostage until a ransom is paid, usually in bitcoin. Once the ransom has been paid, the threat actors will provide the victim with a decryption key, which will unlock their files, assuming they deliver on their promise.
The Cerber strain, which was discovered in late February 2016, has now been integrated into a ransomware-as-a-service (RaaS) model, which allows novice cyber-criminals to launch their own ransomware attacks, for a fee.
With some strains of ransomware, it is possible to obtain a decryption key via online tools, free of charge. However, there is currently no Cerber ransomware decryption tool available, which emphasizes the need for more robust preventative measures.
How Does Cerber Ransomware Work
Cerber typically arrives via phishing emails with malicious attachments. The first example of a Cerber ransomware attack used malicious Microsoft Word documents to deliver the payload. However, other methods of delivery, such as malicious websites and malvertising can also be used to infect the victim’s device.
Once infected, Cerber will begin encrypting the victims’ files, including files stored on unmapped network shares. The victim will then be presented with a ransom note, which will also specify which payment methods they can use to pay the ransom.
Newer versions of Cerber also provide the ransom note as an audio file, which is installed on the victim’s Desktop, and inside the folders storing the encrypted files. In most cases, the ransom payment is made in bitcoin (currently 1.24 BTC), and the victim is requested to use the Tor browser to make the payment.
It’s also worth noting that the ransom amount changes over time. In other words, the longer the victim waits to pay the ransom, the more they will be asked to pay.
How To Recover from A Cerber Ransomware Attack
If you have fallen victim to a Cerber ransomware attack, it is generally a good idea to disconnect your device from the network, and then try to remove the malicious program.
To do this, you will need to restart your computer in Safe Mode with Networking. This will limit the functionality of your computer, although you will still be allowed to perform malware scans, reset credentials, install patches, restore “Shadow Copies” (if you have them), and any other relevant operations.
Of course, simply removing the ransomware application won’t help you restore your files. However, hopefully, you can restore your data from a backup. As always, you should avoid paying the ransom at all costs, as there’s no guarantee that the attacker will deliver on their promise to unlock your files.
And let’s not forget, the main reason ransomware still exists is precisely because people continue to pay the ransom.
How To Prevent A Cerber Ransomware Attack
Our employees are our first line of defense against ransomware attacks. As such, they must be trained to identify suspicious emails, which includes checking the sender’s address before opening the email and being suspicious of any links and attachments inside the email. Employees must also be trained to report anything suspicious to the relevant personnel. In addition to security awareness training, we should also implement the following safeguards.
Regular & secure backups
We must always be prepared to recover our files at a moment’s notice. Backups should be taken regularly, and be stored off-network to ensure that they do not get encrypted as well.
Patches & updates
It is crucial that all software, including your operating system and anti-virus software, is patched in a timely and controlled manner, in order to remove any critical vulnerabilities which cybercriminals can exploit. Consider using an automated and centralized patch management solution.
Software Restriction Policies
If you are using Group Policy you can setup Software Restriction Policies that can prevent certain users from installing certain types of applications, such as .EXE files or Word Documents.
Automation
Once the Cerber ransomware application has been executed, without automation, there is little you can do to prevent it from encrypting your files and moving laterally throughout your network.
Many real-time data-centric auditing solutions can automatically detect and respond to events that match a pre-defined threshold condition. For example, if x number of files have been copied or encrypted within a given time frame, a custom script can be executed which can prevent the attack from spreading.
This might include disabling accounts, shutting down the execution of certain processes, adjusting the firewall settings, or simply shutting down the affected server(s). Other solutions, such as SIEM, IPS, and DLP solutions can help to identify and block anomalous network traffic (amongst other things), which in turn will help to prevent the Cerber script from communicating with the attacker’s Command & Control (C&C) server.
If you’d like to see how the Lepide can help you prevent ransomware attacks, schedule a demo with one of our engineers.