The attack starts with a text-to-speech (TTS)\u00a0synthesized recording of a text message:<\/p>\n
- \n
- Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!<\/li>\n<\/ul>\n
While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware<\/a>.<\/p>\n
So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.<\/p>\n
The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014<\/a>, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.<\/p>\n
In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.<\/p>\n
![\"VB](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/tts.png\")
<\/a><\/p>\nIf the API can’t call the speech synthesizer, you’ll see an error message similar to this:<\/p>\n
![\"Error](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/ttserror.png\")
<\/a><\/p>\nThe other “prongs” in the attack are the usual flavor of current\u00a0ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim\u2019s IP geolocation.<\/p>\n
![\"HTML](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/note.png\")
<\/a><\/p>\n![\"Plain](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/notepad.png\")
<\/a><\/p>\nRansomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings<\/a>, and this newer “low-cost approach” is both frustrating and effective.<\/p>\n
Unlike other current ransomware (like Crowti<\/a>) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files<\/em>, the\u00a0Users<\/em> folder, the Recycle Bin<\/em> and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses\u00a0RSA encryption.<\/p>\n
The list of\u00a0file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and\u00a0.sqlite), and archive files (for example, .rar and .zip).<\/p>\n
It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:<\/p>\n
- \n
- The list of file extensions it targets<\/li>\n
- The folders it avoids<\/li>\n
- The public RSA key used for encryption (the private key is stored on the attacker\u2019s server)<\/li>\n
- The mutex name format<\/li>\n
- The .html and .txt content used in the ransom note<\/li>\n
- The IP of a server it sends statistical data to<\/li>\n<\/ul>\n
See our malware encyclopedia entry for details<\/a>\u00a0on the file types\u00a0and folders it targets.<\/p>\n
Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber<\/em>. Therefore, a file called kawaii.png <\/em>could be renamed to something like\u00a05kdAaBbL3d.cerber.<\/em><\/p>\n
The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to \u201cchoose your language\u201d. This phrase rotates between the 12 languages the user can choose from.<\/p>\n
![\"Choice](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/langs.png\")
<\/a><\/p>\n![\"CAPTCHA](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/captcha.png\")
<\/a><\/p>\nAfter they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti<\/a> and others.<\/p>\n
![\"Cerber](\"http:\/\/www.microsoft.com\/security\/portal\/blog-images\/Cerber\/decryptor2.png\")
<\/a><\/p>\nOur strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender<\/a>\u00a0as your antimalware client, and ensure that MAPS has been enabled<\/a>.<\/p>\n
Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs<\/a>, and administrators can disable macro loading using Group Policy settings<\/a>.<\/p>\n