ACG-CYBER SECURITY BULLETIN NO 123 UNDERSTANDING CERBER RANSOMWARE
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
“Cerber” is an active kind of ransomware being spread via spam e-mails and currently has 5 versions. The .DOCX file for Cerber arrives attached to an e-mail message and when the user opens the .DOCX, it shows a document with bad encoding and uses social engineering to convince the user to activate macros and subsequently auto-extracts the payload.
When Cerber was first introduced, it configures itself to start automatically when a user logs in to windows and execute as a screensaver when the computer is in idle mode. This sets a task to execute itself once every minute. In this phase, when the ransomware is executed, it shows a fake system alert and begins a restart process. The displayed fake system alert will occur until the system is restarted.
Cerber’s encryption is unbreakable, so once your files are encrypted, there is nothing you can do to get them back. Even submitting to the attackers’ criminal demands for payment would not guarantee that your files will be decrypted, as there is nothing preventing them from just taking your money and running. Your best bet therefore is to stop Cerber from getting into your PC in the first place.
Having an up-to-date antivirus installed in your PC is your first line of defense. Good online safety practices can go a long way in keeping you and your data secure such as never opening suspicious e-mail attachments, even if you know and trust the sender. If it looks or feels off, do not risk it.
Cerber is just one of the many strands of ransomware out there, and ransomware itself is only one of many kinds of malware that can harm your PC, your data, and your security online.
At present, Cerber is no longer creating an auto start but instead, it cleans itself without leaving executable files behind. Before Cerber encrypts any files, it will first stop some .exe processes so that it can encrypt associated files.
All PNP personnel as well as the public are advised to follow the tips in order not to prevent Cerber ransomware from infecting their devices and computer systems, to wit:
- Always run updated anti-virus on your computers;
- Always update your software with the latest patch available;
- Always choose ‘Show hidden file-extension;
- Say NO to unknown links and avoid downloading attachments from unrecognized sources; and
- Always back up your data on an external device.
For additional information, please refer to the following websites:
POINT OF CONTACT