Cerber ransomware interacts with victims in a special way
At first sight, it may appear that Cerber typifies the present-day cryptographic malware. It enciphers most forms of widespread data elements found on an infected Windows computer and then tells the victim to pay 1.24 Bitcoins, which currently amounts to more than 800 USD.
Whereas all ransom Trojans do the exact same thing and pursue identical goals, the one in question turns out to be unordinary in a way. To instruct the contaminated users regarding file recovery, it leverages a text-to-speech feature along with the regular ransom note formats.
Unlike most of the counterparts, there is no single vector of Cerber ransomware propagation. The reason is, it’s being distributed by different groups of cybercrooks that exercise different approaches to payload delivery. The Ransomware-as-a-Service model is the one to blame for such an inhomogeneity. RaaS means that pretty much anyone can join the malicious affiliate network, get their sample of the bad code for free, and then spread it as they see appropriate. Of course, the authors get their fixed share of all the ransoms paid by victims afterward.
The most popular way of contamination, though, is phishing, where the malware operators set up a spam campaign to send thousands of emails with harmful attachments, such as obfuscated JavaScript objects and Docm files with macros.
When inside, Cerber applies the AES cryptosystem to lock the user’s personal files. It also appends the .cerber string to filenames. The HTML, TXT and VBS editions of the # Decrypt My Files # ransom instructions recommend the victim to visit the Cerber Decryptor page over anonymous Tor connection. The VBScript version, by the way, is the one that generates sound when opened.
No free tools are available to decrypt data held hostage by Cerber. Although a few techniques do exist to restore some files, it is highly recommended to maintain backups of the most valuable information in one or several safe locations.