<\/p>\n
Cerber is especially prevalent in the US, Asia, and Western Europe.<\/p>\n
However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines: <\/p>\n Cerber can enter your system or PC either through downloaders from spam email or exploits<\/a> on malicious or compromised sites.<\/p>\n When delivered via spam, we\u2019ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where\u2019s the macro?<\/a>“, and we\u2019ve previously talked about how macros have been used to deliver malware<\/a> (although new features in Office 2016<\/a> has seen a decrease in macro-based malware).<\/p>\n In this case, we\u2019ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We\u2019ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.<\/p>\n The other infection vector \u2013 exploit kits \u2013 occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.<\/p>\n Neutrino<\/a>, Angler, and Magnitude<\/a> exploit kits have been identified as distributing Cerber.<\/p>\n <\/p>\n As with most other encryption ransomware, Cerber encrypts files and places \u201crecovery\u201d instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.<\/p>\n Cerber, however, also includes a synthesized audio message.<\/p>\n We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware<\/a>“.<\/p>\n <\/p>\n Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don\u2019t mention the payment of fees or ransom to decrypt your files.<\/p>\n Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:<\/p>\n <\/p>\n The Cerber desktop wallpaper has also been updated:<\/p>\n \u00a0<\/em><\/p>\n To help stay protected:<\/p>\n In the Office 365 blog\u00a0“How to deal with ransomware<\/a>“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10<\/a> and System Restore in Windows 7<\/a>.<\/p>\n You can also use OneDrive and SharePoint to backup and restore your files:<\/p>\n
![\"Map](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/heatmap.png\")
<\/a><\/p>\nCerber infection chain<\/h2>\n
<\/a><\/p>\nCerber updates<\/h2>\n
<\/a>There have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.<\/p>\n<\/a><\/p>\n<\/a><\/p>\nPrevention<\/h2>\n
\n
Detection<\/h2>\n
\n
Recovery<\/h2>\n
\n