Cerber Ransomware Is Not on Vacation This Summer

Cerber Ransomware

The well known Cerber ransomware continues to be active this summer. The size of the cryptolocker varies between 244 to 292 Kbytes, with the new builds spreading through spear phishing email campaigns targeting enterprises. The latest Cerber ransomware easily bypasses traditional defences. The analysed Cerber sample (MD5: cfd2d6f189b04d42618007fc9c540352) was only detected as a suspicious malicious object by nine out of 64 antiviruses on the first submission to Virustotal. The low detection rate can be explained by the fact that the cryptolocker is using a polymorphic encryptor and API call obfuscation to protect its copies from being detected by antiviruses.

Static analysis

The PE EXE file has a fake timestamp, Import Address Table and even Export Address Table.

Cerber Ransomware Fake Timestamp

Export Address Table

Cerber Ransomware Export Address Table

Hiding the payload

The latest builds of the Cerber’s code are even more protected with API call obfuscation. To hide the actual imports, Cerber loads them in runtime:

Cerber Ransomware runtime

The actual Import Address Table looks like this:

Cerber Ransomware Import Address Table

Decrypting the configuration data

The configuration JSON data is encrypted and stored as RCDATA in the resource section:

Cerber Ransomware Configuration

To decrypt the configuration data, Cerber goes through the following steps:

1. Imports the hard coded RC4 128-bit key from the BLOB data which is 28 bytes in size.

Cerber Ransomware Configuration

1st byte: BLOB type = PLAINTEXTKEYBLOB (0x08)
2nd byte: version = CUR_BLOB_VERSION (0x02)
5-8 bytes: algorithm id =  CALG_RC4 (0x00006801)
9-12 bytes: key size in bytes = 16 (0x00000010)
13-28 bytes: key data ‘ ADBCCC55D6FB379BDA0E3262FF004E1D’

2. Wipes the 128-bit encryption key from the memory with zeros after decryption:

Cerber Ransomware Configuration

3. Calls the CryptEncrypt() function to decrypt the JSON config which is 107 171 bytes in size:

Cerber Ransomware Configuration

Configuration parameters

The Cerber configuration contains the following information:

  • Blacklist
    • File extensions for the files not to be encrypted: bat, cmd, com, cpl, dll, exe, hta, msc, msi, msp, pif, scf, scr, sys
    • Files: 
      • Bootsect.bak
      • Iconcache.db
      • Ntuser.dat
      • thumbs.db
    • Folders that the cryptolocker should avoid when encrypting files:
      • ":\\$getcurrent\\",
      • ":\\$recycle.bin\\",
      • ":\\$windows.~bt\\",
      • ":\\$windows.~ws\\",
      • ":\\boot\\",
      • ":\\documents and settings\\all users\\",
      • ":\\documents and settings\\default user\\",
      • ":\\documents and settings\\localservice\\",
      • ":\\documents and settings\\networkservice\\",
      • ":\\intel\\",
      • ":\\msocache\\",
      • ":\\perflogs\\",
      • ":\\program files (x86)\\",
      • ":\\program files\\",
      • ":\\programdata\\",
      • ":\\recovery\\",
      • ":\\recycled\\",
      • ":\\recycler\\",
      • ":\\system volume information\\",
      • ":\\temp\\",
      • ":\\windows.old\\",
      • ":\\windows10upgrade\\",
      • ":\\windows\\",
      • ":\\winnt\\",
      • "\\appdata\\local\\",
      • "\\appdata\\locallow\\",
      • "\\appdata\\roaming\\",
      • "\\local settings\\",
      • "\\public\\music\\sample music\\",
      • "\\public\\pictures\\sample pictures\\",
      • "\\public\\videos\\sample videos\\",
      • "\\tor browser\\"
    • Languages that make OS protected from the cryptolocker:
      • 1049: Russian,
      • 1058: Ukrainian
      • 1059: Belarusian,
      • 1064: Tajik,
      • 1067: Armenian,
      • 1068: Azeri (Latin),
      • 1079: Georgian,
      • 1087: Kazakh,
      • 1088: Kyrgyz (Cyrillic),
      • 1090: Turkmen,
      • 1091:  Uzbek (Latin),
      • 1092 : Tatar (Russia),
      • 2072: Romanian (Moldova),
      •  2073: Russian (Moldova),
      •  2092: Azeri (Cyrillic),
      •  2115: Uzbek (Cyrillic).
  • Whitelist
    • Folders that should be encrypted:
      • "\\bitcoin\\",
      • "\\excel\\",
      • "\\microsoft sql server\\",
      • "\\microsoft\\excel\\",
      • "\\microsoft\\microsoft sql server\\",
      • "\\microsoft\\office\\",
      • "\\microsoft\\onenote\\",
      • "\\microsoft\\outlook\\",
      • "\\microsoft\\powerpoint\\",
      • "\\microsoft\\word\\",
      • "\\office\\",
      • "\\onenote\\",
      • "\\outlook\\",
      • "\\powerpoint\\",
      • "\\steam\\",
      • "\\the bat!\\",
      • "\\thunderbird\\",
      • "\\word\\"

Global RSA 2048-bit public key:

-----END PUBLIC KEY-----

Cerber Ransomware Public Key

Traces on the hard disk

Once being unpacked, Cerber stores its temporary data and encryption keys in a subfolder named using the first part of the Machine GUID, inside the Temp folder. For example:



Cerber uses RC4 and RSA algorithms for encryption. Every file is encrypted using the RC4 algorithm with a unique 128-bit key.

The file’s RC4 key is encrypted using a RSA-880 public session key generated on the victim’s machine. The prime numbers (p and q) used to calculate the RSA-880 session public key are encrypted using the RSA-2048 master public key delivered in the configuration data embedded in the cryptolocker’s file.

The prime numbers can be decrypted with the RSA-2048 master key by the attacker to restore the RSA-880 session private key through calculating a private key exponent (d) using the extended Euclidean algorithm.

The new file contains the encrypted RC4 key used to encrypt this file as well as the encrypted original file’s data, original filename, and checksum stored in a specific order. Cerber also adds a 60-byte block of randomly generated data into the middle of the file to complicate the encrypted file structure even more.

Key encryption

First, the RSA-2048 public key from the configuration file is decoded from Base64 to PEM format and then to PUBLICKEYBLOB:

Cerber Ransomware Key encryption

Once decoded, the CERT_PUBLIC_KEY_INFO structure contains a public key and its algorithm (OID_RSA_RSA "1.2.840.113549.1.1.1" - RSA is used to both encrypt and sign the content):

Cerber Ransomware CERT_PUBLIC_KEY_INFO

The RSA-2048 public key is to be imported as PUBLICKEYBLOB.

Cerber Ransomware PUBLICKEYBLOB

Cerber Ransomware PUBLICKEYBLOB

1st byte: BLOB type = PUBLICKEYBLOB (0x06)
2nd byte: version = CUR_BLOB_VERSION (0x02)
5-8 bytes: algorithm id =  CALG_RSA_KEYX (0x0000A400)
9-20 bytes: RSAPUBKEY {magic = ‘RSA1’, key length = 2048 bits, public exponent = 65537}
21-276 bytes: key data 256 bytes

Then, Cerber creates another RSA public key but with an 880-bit modulus length and saves it to the temporary file:

Cerber Ransomware 880-bit modulus

The RSA-2048 public key is used to encrypt an 114-byte block of data that consist of two prime numbers, each 55 bytes, generated for a RSA-880 public key that is used to encrypt the RC4 key and the 4-byte header that specifies the size of each block ‘37003700’:

Cerber Ransomware 114-byte block of data

The encrypted block is stored in a tmp file in the %TEMP% folder and added to the end of every encrypted file:

Cerber Ransomware encrypted block

File encryption

Cerber encrypts a file using the RC4 algorithm with a 128-bit key generated for every file that will be encrypted.

After encryption, the file will contain the following data blocks:

Offset Data


Original file data (‘skip_bytes’ = 1800)


Randomly generated data (60 bytes)


Encrypted data from offset 1860 (‘skip_bytes’ + 60) to the end of the original file
  The encrypted data containing the original filename, checksum, and RC4 key (48 bytes)

Encrypted 99 bytes that includes header (39 bytes) and 60 bytes of the original file located after ‘skip_bytes’ (offset 1800) that were replaced with the randomly generated data (110 bytes).

The header (39 bytes) includes: magic = FrbR, size of data, 16-byte RC4 key
  RSA-880 prime numbers p and q encrypted by RSA-2048 (256 bytes)

Cerber Ransomware File encryption

The file with the encrypted data is renamed as:

<Random characters>.<4th part of the Machine GUID>

Ransom notes

The ransom notes are stored in the folders together witht the encrypted files and are named in the following format:


Cerber Ransomware Ransom notes

Cerber Ransomware Ransom notes

At the end of the encryption, the cryptolocker sets the familiar Cerber-style wallpaper:

Cerber Ransomware

The wallpaper bitmap is generated based on the parameters mentioned in the configuration data:

  "wallpaper": {
    "change_wallpaper": 1,
    "background": 139,
    "color": 16777215,
    "size": 13,
    "text": "   \n   CRBR ENCRYPTOR ...  }


Cerber Connects to 6893 port on the IPs specified by CIDR in the config:

The communication packet starts with a hash consisting of the Machine GUID: {MD5_KEY} and ending with {PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}.

For example, Cerber tries to initiate a connection to the remote server from the range specified in the configuration data by sending a victim’s machine ID:

Cerber Ransomware Communication


The Decryption Service is available through Tor at http://xpcx6erilkjced3j.onion/<MACHINE_ID>. For example: http://xpcx6erilkjced3j.onion/AA8A-60D2-7EC2-0446-A314

Cerber Ransomware Decryptor

It requires solving the CAPTCHA

Cerber Ransomware CAPTCHA

It requires a payment of 0.045 Bitcoins in five days, otherwise the price will be doubled.

Cerber Ransomware payment


The Bitcoin address used in the attack has not received any transaction yet.

Cerber Ransomware Bitcoin address


  • Cerber is spread through spear phishing email campaigns targeting enterprises.
  • Cerber uses polymorphic encryption and API calls obfuscation to bypass antivirus protection.
  • As in previous versions, it uses encrypted configuration data stored in a JSON format.
  • It uses the encryption scheme of master RSA-2048 key -> session RSA-880 -> RC4-128.
  • It is not possible to decrypt files without knowing the master private RSA-2048 key.
  • Cerber tries to connect  to C&C using the IPs specified in the configuration data in order to send the encryption statistics.

Acronis True Image 2018 Beta Blocks Cerber

The new version of Acronis Active Protection, which is part of Acronis True Image 2018 Beta, detects Cerber ransomware and instantly restores the affected files.

Acronis Active Protection constantly observes patterns in how data files are being changed on a system. One set of behaviors may be typical and expected. Another set of behaviors may signal a suspect process taking hostile action against files. The Acronis approach looks at these actions and compares them to with malicious behavior patterns. This approach is exceptionally powerful in identifying ransomware attacks, even from ransomware variants that are as-yet unreported.


Read More: