New version of Cerber ransomware hits businesses where it hurts

12 months ago
Eric Vanderburg

The latest version of Cerber ransomware is targeting database applications and putting business’s most valuable data at risk, according to recent reports.

Large database applications such as Oracle, Microsoft SQL Server, MySQL and others contain critical data for things like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and Electronic Medical Record system. And the latest version is aiming to encrypt all of them in addition to documents, spreadsheets and multimedia files.

How Cerber ransomware works

Ransomware victims are not chosen on an individual basis. Instead, they’re usually found within a pool of available targets organized by country, region or industry. This semi-targeted approach is often used to ensure that as many targets as possible have the means to pay the ransom, either because they live in regions with a high median income, or they work in industries that are known to pay up. Cybercriminals like those spreading the new version of Cerber may also target databases—where many businesses’ store their most important information.

Once Cerber infects a system, it checks to see if it is in a target country. It targets all countries except for Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan. Cerber then places a copy of itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ directory using a randomly generated executable name. Cerber then prepares to encrypt files by escalating its privileges through a UAC bypass using DLL hijacking. Cerber needs escalated privileges in order to stop certain services that, if running, would disrupt the process of database encryption.

Database files are usually written to and changed frequently, and database software typically keeps the files open so that data in memory can be flushed down to the files and applications rapidly. Data corruption can occur if the files are tampered with while they are open and criminals would lose the confidence of their victims if they were unable to decrypt files after the ransom was paid so they stop the services first.

Here are the databases that Cerber encrypts as well as the processes that it terminates. If you are running these processes and they stop unexpectedly, this could be a sign of Cerber infection. Each of the processes below is a Microsoft Windows executable. Cerber ransomware currently affects databases running on Windows only.

Database Process
Citrix MetaFrame encsvc.exe
Microsoft SQL Server msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe
Mozilla Firefox firefoxconfig.exe
Mozilla Thunderbird tbirdconfig.exe
MySQL mysqld.exe, mysqld-nt.exe, mysqld-opt.exe
Oracle agntsvc.exe, agntsvc.exeisqlplussvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, dbsnmp.exe, isqlplussvc.exe, mydesktopservice.exe, mydesktopqos.exe, oracle.exe, ocssd.exe, ocautoupds.exe, ocomm.exe, synctime.exe, xfssvccon.exe
Red Gate Software’s SQL Backup Pro sqbcoreservice.exe

Decryption keys were made available for earlier versions of Cerber, but they were removed when newer versions of Cerber came out. A high-quality database backup is crucial for recovering from an encrypted database. Since enterprise database systems change frequently as new transactions occur, backup systems are often continuous or scheduled at very short intervals, so that little or no data is lost when failures occur. It’s also important to test the restore process regularly to ensure that all relevant data is captured and that the data can be recovered in a reasonable time frame.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.