New version of Cerber ransomware hits businesses where it hurts

The latest version of Cerber ransomware is targeting database applications and putting business’s most valuable data at risk, according to recent reports.

Large database applications such as Oracle, Microsoft SQL Server, MySQL and others contain critical data for things like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and Electronic Medical Record system. And the latest version is aiming to encrypt all of them in addition to documents, spreadsheets and multimedia files.

How Cerber ransomware works
Ransomware victims are not chosen on an individual basis. Instead, they’re usually found within a pool of available targets organized by country, region or industry. This semi-targeted approach is often used to ensure that as many targets as possible have the means to pay the ransom, either because they live in regions with a high median income, or they work in industries that are known to pay up. Cybercriminals like those spreading the new version of Cerber may also target databases—where many businesses’ store their most important information.

Once Cerber infects a system, it checks to see if it is in a target country. It targets all countries except for Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan. Cerber then places a copy of itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ directory using a randomly generated executable name. Cerber then prepares to encrypt files by escalating its privileges through a UAC bypass using DLL hijacking. Cerber needs escalated privileges in order to stop certain services that, if running, would disrupt the process of database encryption.

Database files are usually written to and changed frequently, and database software typically keeps the files open so that data in memory can be flushed down to the files and applications rapidly. Data corruption can occur if the files are tampered with while they are open and criminals would lose the confidence of their victims if they were unable to decrypt files after the ransom was paid so they stop the services first.

Here are the databases that Cerber encrypts as well as the processes that it terminates. If you are running these processes and they stop unexpectedly, this could be a sign of Cerber infection. Each of the processes below is a Microsoft Windows executable. Cerber ransomware currently affects databases running on Windows only.

Database Process
Citrix MetaFrame encsvc.exe
Microsoft SQL Server msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe
Mozilla Firefox firefoxconfig.exe
Mozilla Thunderbird tbirdconfig.exe
MySQL mysqld.exe, mysqld-nt.exe, mysqld-opt.exe
Oracle agntsvc.exe, agntsvc.exeisqlplussvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, dbsnmp.exe, isqlplussvc.exe, mydesktopservice.exe, mydesktopqos.exe, oracle.exe, ocssd.exe, ocautoupds.exe, ocomm.exe, synctime.exe, xfssvccon.exe
Red Gate Software’s SQL Backup Pro sqbcoreservice.exe

Decryption keys were made available for earlier versions of Cerber, but they were removed when newer versions of Cerber came out. A high-quality database backup is crucial for recovering from an encrypted database. Since enterprise database systems change frequently as new transactions occur, backup systems are often continuous, or scheduled at very short intervals, so that little or no data is lost when failures occur. It’s also important to test the restore process regularly to ensure that all relevant data is captured and that the data can be recovered in a reasonable time frame.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Full Text Catalog Organ Transplant: Moving SQL Server full text indexes

Full text searching allows more complex searches such as word or phrase searching, inflection matching, proximity searching, and relevance matching to be performed on many different fields within tables.  In order for these searches to run SQL server builds and maintains a catalog.

We have such a large amount of data that rebuilding a full text catalog can take as long as 14 days.  We needed a way to be able to bring the full text catalog back without rebuilding it, essentially, I needed a backup.  Microsoft does not backup the full text catalog in normal backup operations and you cannot access it with software while the server is running because it is always in use.

You cannot use standard backup commands to back them up and Microsoft does not have any utilities available for the task either.  They do, however, have a guide for how to migrate it from one server to another.  We needed to do just that.  I call the process full text catalog organ transplant because organ transplants require the patient receiving the organ to have the same characteristics as the donor in order for the body to accept the new organ.

Full text catalogs need to have a destination system with many of the same characteristics as their previous system or they will not work at all.  The characteristics that must be similar are the SQL server version, full-text catalog folders and file locations, full-text catalog folder and file names and contents, and the same database id and table ids on both servers and databases.

The first few similarities are easy to recreate on the destination system.  The database id is a little more difficult as some DBAs do not even know what the id is for their databases.  You can obtain the database id of a SQL server database by issuing the following command:

Select db_id()

You have to be in the database you want to query first.  Use databasename will accomplish this.

This database number is generated when the database is attached to the instance.  Since the numbers have to match between source and destination, you need to create a situation where the database will receive the same database id when attached to the destination as it did at the source.

We found that you can reuse numbers from databases that have been detached so the process involves knowing the database ids of the databases you will import and then the ones in use at the destination.

If there is a database using the needed id, simply detach it, attach the imported database, and then attach the database you just detached.  The imported database will assume the detached database’s id as long as it is the lowest available number.

If you have a gap in numbers such as in this example where there is no database with an id of 6 you will need to fill that gap first.  NOTE: master, tempdb, model, and msdb always have the numbers you see below.  You can do that easily by attaching the database with the id you want to use first so that it consumes that spot.

Database ID
master 1
tempdb 2
model 3
msdb 4
Database1 5
Database2 7
Database3 8
Database4 9

If you have a number of gaps and not enough databases to fill them you can create new databases with no data in them to consume database ids.

The rest of the process can follow the guide outlined in Microsoft’s knowledge base article 240867 so I will not go into details on the procedure.  I hope this helps you if you are in the same situation.

Microsoft Database Administrator

Another certification.  I took the MCDBA (Microsoft Certified Database Administrator) tests and passed them all.  I finished the last one today.  I will take a break from certifications for a while and then pick up on them after a few months.  I may try for CEH (Certified Ethical Hacker) next.  We will see.  For now, I will enjoy the rest of my vacation. 

SQL Server Issues

I put SQL Server on a Windows Server 2003 virtual machine on my new 64 bit laptop but Enterprise Manager would not run.  After some searching, I found a guide that helped me fix the issue.  I had to change permissions on various registry entries in the HKEY_CLASSES_ROOT and then I had to manually register a few dll files.  Quite a number of services and processes had to be stopped during this procedure. 

New technology works well with new technology but new technology does not work well with old technology.  My situation here is SQL Server 2000 on Windows Server 2003.  If I was running SQL Server 2005, things would be different.  However, I want to learn more about SQL Server 2000 before I learn about 2005.  I like to know the history of technology and what changes were made in different versions. 

Everything seems to be working now.  Problem solved.

SQL Server

I am always trying to learn something. I really enjoyed learning
about programming yesterday and now I want to shift my efforts onto
SQL server. I have an install of SQL server 2005 at school and I
might have a copy of SQL Server 2000 at home. I plan to study and
work with it for the next few months. I have one book on it and some
lab manuals. I might order a few more depending on my interest. It
feels good to be learning. Ian and I are going to go to the library
on Saturday to study. We will have lunch too. I sure hope Chris will
join us. It would be fun for Ian to study for the MCSD, Chris to
study for A+ and me to study SQL server. Porter library in Westlake
as wireless internet and a nice atmosphere.

SQL Server Event

Richard Hale and I took my classes on a field trip to the Microsoft offices here in Cleveland for a SQL server event.  They gave us lunch at the event.  It was nice to see the Microsoft facilities but I was not overly impressed with the presentation itself.  The content was a little too technical for the students and some things were too complex for Richard and me to understand.  They showed a few charts without explaining the data which gave the impression that the data was not very supportive of their claims or that it was not very accurate.  The event did show the students the importance of knowing their acronyms and that there is a lot out there that they do not know.  It helped us all get a little more comfortable with SQL Server 2005 and that is certainly a good thing.  I am not sorry that I attended the event because it let us all get out of the classroom for a while which excited everyone.  Thanks Microsoft!I am looking into events for my night class to attend since this even took place during the morning class hours.  I am thinking of attending one of the local user groups since they usually meet around 6:00 PM.  I just need to find the right one and get approval from the college.

SQLserver2 SQLserver1