Beware "Ransomware" has been floating around in the Internet
A ransomware has been floating around for about a week, a type of malicious software designed to block access to a computer system until a sum of money is paid.
"although ransomware is usually aimed at individuals, it's only a matter of time before business is targeted as well"
Cerber is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double.
When infected, a victim's data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or ~500 USD to get their files back.
Unfortunately, at this point there is no known way to decrypt a victim's encrypted files for free.
When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.
Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan and now it also found in Asia including Philippines
If the victim is not from one of the above countries, Cerber will install itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and name itself after a random Windows executable. For example, when we performed our analysis of the ransomware it named itself autochk.exe. It will then configure Windows to automatically boot into Safe Mode with Networking on the next reboot using the following command:
C:\Windows\System32\bcdedit.exe" /set {current} safeboot network
Cerber will then configure itself itself to start automatically when you login to windows, execute as your screensaver when your computer is idle, and set a task to execute itself once every minute. In this phase, when the ransomware is executed it will show a fake system alert and begin a restart process.
Cerber ransomware distributed via spam e-mail attachments (using infected .WSF and .DOC files) or Cerber ransomware is delivered by a rogue document attached to spam emails. Once users open the document, they are encouraged to enable malicious macros - the ransomware then starts to encrypt victims' data
Here some user who commented and message me and confirmed they have encounter Ransomware, unfortunately I can not help..
You can check some removal guide posted by experts below :
"although ransomware is usually aimed at individuals, it's only a matter of time before business is targeted as well"
Cerber is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double.
When infected, a victim's data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or ~500 USD to get their files back.
Unfortunately, at this point there is no known way to decrypt a victim's encrypted files for free.
When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.
Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan and now it also found in Asia including Philippines
If the victim is not from one of the above countries, Cerber will install itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and name itself after a random Windows executable. For example, when we performed our analysis of the ransomware it named itself autochk.exe. It will then configure Windows to automatically boot into Safe Mode with Networking on the next reboot using the following command:
C:\Windows\System32\bcdedit.exe" /set {current} safeboot network
Cerber will then configure itself itself to start automatically when you login to windows, execute as your screensaver when your computer is idle, and set a task to execute itself once every minute. In this phase, when the ransomware is executed it will show a fake system alert and begin a restart process.
Cerber ransomware distributed via spam e-mail attachments (using infected .WSF and .DOC files) or Cerber ransomware is delivered by a rogue document attached to spam emails. Once users open the document, they are encouraged to enable malicious macros - the ransomware then starts to encrypt victims' data
Here some user who commented and message me and confirmed they have encounter Ransomware, unfortunately I can not help..
You can check some removal guide posted by experts below :
- https://www.pcrisk.com/removal-guides/9842-cerber-ransomware
- http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
- http://sensorstechforum.com/remove-cerber-3-ransomware-restore-cerber3-encrypted-files/
No comments
Post a Comment