Ransomware - Cerber

bigpaudge

Hi Clever People,

a buddy of mine has gotten himself into a bit of trouble. His external harddrive has been encrypted by the Cerber Ransomware.

I've tried booting Hirens Boot CD to look at the drive and see about how to decrypt the files but Hirens does not seem to recognise the external USB 3.0 HDD.

Can anyone offer tips on how to mount this drive, under which OS can I see the drive or anyone offer tips on booting from a virtual drive CD ??

Thank you very much.

P.

DopeTech

bigpaudge wrote: »

Hi Clever People,

a buddy of mine has gotten himself into a bit of trouble. His external harddrive has been encrypted by the Cerber Ransomware.

I've tried booting Hirens Boot CD to look at the drive and see about how to decrypt the files but Hirens does not seem to recognise the external USB 3.0 HDD.

Can anyone offer tips on how to mount this drive, under which OS can I see the drive or anyone offer tips on booting from a virtual drive CD ??

Thank you very much.

P.

Haven't tried it myself but this is worth a look.

http://www.2-spyware.com/remove-cerber-v4-0-ransomware-virus.html#method-1

maki

If the files have been encrypted and there are no backups, there's unfortunately no way to get them back without paying the random.

bigpaudge

maki wrote: »

If the files have been encrypted and there are no backups, there's unfortunately no way to get them back without paying the random.

I've seen tools are available from leading vendors (trend micro) etc... that claim to allow a decryption key be generated on sample files that are uploaded to their website but when I follow the link I get to a "this page not found" message.

Interested to know if someone can recommend a virtual machine rig that I could setup to try and fix this without destroying my own machine?

maki

bigpaudge wrote: »

I've seen tools are available from leading vendors (trend micro) etc... that claim to allow a decryption key be generated on sample files that are uploaded to their website but when I follow the link I get to a "this page not found" message.

Interested to know if someone can recommend a virtual machine rig that I could setup to try and fix this without destroying my own machine?

I don't see how something like that could exist, certainly not for AES-256 which is what the files here are encrypted with (well, this combined with RSA). AES is industry standard encryption. If Trend-Micro can break it nobody would use it anymore.

It can't be brute forced either. I remember someone doing the maths on it, and they calculated that it would take 1 billion GPUs (which would require 150 nuclear power plants to power) longer than the age of the universe to exhaust half of the keyspace.

bigpaudge

I just though that there might be a page somewhere with a list of keys that people could try?

I see the scenario as such: Ivan McRussian and his colleagues have a botnet located in central Europe. They log on in the morning, drink a coffee and after checking their bitcoin accounts and reading the latest Emails they might create a new list of keys for the next set of phishing mails to be sent out. If someone had paid their ransom and Ivan and his nice buddies sent the decryption key to a previous strain then that person might have shared that key so others could decrypt their files.... Is that just a nice fantasy of mine??

maki

bigpaudge wrote: »

I just though that there might be a page somewhere with a list of keys that people could try?

I see the scenario as such: Ivan McRussian and his colleagues have a botnet located in central Europe. They log on in the morning, drink a coffee and after checking their bitcoin accounts and reading the latest Emails they might create a new list of keys for the next set of phishing mails to be sent out. If someone had paid their ransom and Ivan and his nice buddies sent the decryption key to a previous strain then that person might have shared that key so others could decrypt their files.... Is that just a nice fantasy of mine??

While it's possible they'd do that, I don't see why they would. It would essentially completely kill off their malware quickly once people started sharing the keys. It's fairly trivial to generate a random key each time and associate it with each device, so I'll assume they did that.

ItHurtsWhenIP

Folks - that's not quite how ransomware works (well not most of it anyway).

1. link/attachment comes in e-mail.
2. hapless user clicks/opens.
3. script calls home, asks for required encryption code.
4. encryption code downloads and executes, firstly calling home for a 2048-bit encryption key (which is unique to this client).
5. files scrambled with that key.
6. hapless user notified of the horror.

So sharing of keys is not going to work, as each one is unique.

What the likes of Kaspersky and Trend Micro have done was found that Ivan McRussian wrote his encryption code like an idiot and did not actually encrypt it properly, thus making it easier for the good guys to unencrypt the files.

OP you can have a look here, but it doesn't seem Cerber is covered.

There's another resource here, but I don't know if that is updated or not, but it also doesn't cover Cerber by the look of it.

Edit: Sorry that spreadsheet does cover Cerber. What I meant was that there was no decryptor for it.