Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on RANSOM_CERBER

    • Updated:
    • 8 Jul 2016
    • Product/Version:
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Attention! Attention! Attention!”
“Your documents, photos, databases and other important files have been encrypted!”

Having a “voice” capability to verbally read out a message and inform you that your files are encrypted makes this unique from other ransomware.

This innovative technique is reminiscent of one of the variants of REVETON, otherwise known as police ransomware, that can also “speak” in a language depending on where the user is located or based from.

Based on our investigation, CERBER only uses English language; however, once users click on the link via Tor browser, it points to a page asking users which language to employ.  Even though the landing page offers various languages, only English works, as of this posting. The cybercriminals behind CERBER requires users to pay 1.24 BTC (~US$523, as of March 4, 2016), which will increase up to 2.48 BTC (~US$1046, as of March 4, 2016) in seven (7) days’ time.

Based on SPN, this menace is seen mostly in APAC and NABU regions.

CERBER Infection Chain

Click image to enlarge.

Antispam Pattern

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
EXPOSURESpam mailAS23145/10/2016

SAL / BES Pattern

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
INFECTIONSWF.HEU.HeapSpray.ASAL 121913.0.05/26/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONRansom_CERBER.SM12.497.004/29/2016
INFECTIONRansom_CERBER.SMA12.497.004/29/2016
INFECTIONRansom_CERBER.SMC12.497.004/29/2016
INFECTIONRansom_CERBER.SMB12.502.065/2/2016
INFECTIONRansom_CERBER.SMR12.504.065/3/2016
INFECTIONRansom_CERBER.SMD12.524.055/13/2016
INFECTIONSWF_AXPERGLE.LN12.493.0004/27/16

WRS Pattern (Malicious URL and Classification)

LAYERURLScoreBlocking Date
EXPOSURE94{blocked}.102.63.7/11/files.exeVirus Accomplice5/11/2016
EXPOSUREmobikash{blocked}..com/language/de-DE/com_loader.exeVirus Accomplice4/27/2016
EXPOSURE119{blocked}.17.253.225/ok.jpgRansomware, Disease Vector5/3/2016
EXPOSUREKewix{blocked}.hu:80/Ransomware, Disease Vector4/6/2016
EXPOSURE188{blocked}.225.35.38/farest.555Virus Accomplice4/2/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMICAN1979TOPR 15435/17/2016

Network Pattern

LAYERDetectionPattern VersionRelease Date
CLEAN-UPUDP_RANSOM_CERBER_REQUEST1.10159.005/24/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of Ransom_CERBER.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan11 SP1 above








Update Pattern via web console
Turn On Ransomware Protection Feature/Update Pattern via Web console








Enable Web Reputation Service*



Update Pattern via Web console


Not Applicable



Update Pattern via web console
10.6 and aboveUpdate Pattern via web console
Worry Free Business Suite9 SP1 aboveTurn On Ransomware Protection Feature/Update Pattern via Web console
8 and aboveUpdate Pattern via Web consoleUpdate Pattern via Web console
Hosted
Deep Security8.0 and above



Not Applicable
Update Pattern via Web consoleNot ApplicableUpdate Pattern via Web console
ScanMailSMEX 10 and later



Not Applicable


Update Pattern via Web console


Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
Not Applicable
Update Pattern via web console
DDAN
DDEI
 
*Refer to the Product Administrator’s Guide on how to enable the Ransomware Protection, Email Reputation and Web Reputation services features.

Recommendations

Threat Report

Blog

Premium
Internal
Rating:
Category:
Update
Solution Id:
1114562
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.