From Russia with Love : Cerber Ransomware first encrypts your files and then reads out the ransom note
Malware authors are know to be a ingenious lot and trust them to come with a Ransomware that actually reads out the ransom note to the victim.
Cerber is a latest ransomware which encrypts target victim’s files and then provides a TTS (text-to-speech) feature that reads out the ransom note.
The Cerber was first analysed last week by security researchers from SenseCy. SenseCy researchers stated that Cerber is written by Russian coders who are advertising and selling it as a RaaS service on underground hacking forums in Russia.
Ransomware-as-a-Service (RaaS) is a new business model which is growing rapidly in Russia. Under RaaS, the malware coders provide a fully coded Ransomware for a fixed amount to cyber criminals who then distribute it via spam and spear-phishing campaigns. The authors take a small cut only when the the victim pays the ransom.
Cerber is a unique Ransomware in many respects. One of the qualities of Cerber is that it avoids Russian speaking countries. The researchers said that Cerber’s code indicates that it was specifically built to avoid infections of users living in former Soviet countries.
Another kink in Cerber’s operations is the fact that, before encrypting files, the ransomware shows an error prompt through which it fools the user into restarting the computer. The ransomware makes the PC restart in “Safe Mode with Networking” and then forcibly restarts the computer again in normal mode.
After this forced restart, Cerber starts encrypting files with an AES algorithm. The ransomware targets 380 file types, and during the encryption process, it scrambles the files’ name and adds the .cerber extension at the end. Once Cerber takes control of victim’s PC it adds three notes in text, HTML, and VBS format in each of the folder where it encrypted data. When the victim clicks the note, Cerber will recite the ransom note to the user.
The ransom note asks for 1.24 Bitcoin ($520 / €475), a sum that doubles after the first week. As usual, users need to pay the ransom in Bitcoin over a Dark Web URL (.onion domain).
Cerber is undecryptable as of now.