Nine circles of Cerber

Wednesday 4 October 14:00 - 14:30, Red room

Stanislav Skuratovich (Check Point Software Technologies)
Or Eshed (Check Point Software Technologies)
Yaniv Balmas (Check Point Software Technologies)

Without a doubt, 2016 was the year of ransomware. What makes ransomware so attractive to attackers is that it offers the possibility of large profits without requiring too much effort. With the availability of ransomware-as-a-service, someone with very little actual knowledge of computers can easily manage a highly profitable campaign. A wide variety of different ransomware families have appeared over the past year, including Locky, CryptoWall and CryptXXX, to name just a few. Let's talk about the very profitable Cerber.

The Cerber ransomware was mentioned for the first time in March 2016 on some Russian underground forums, on which it was offered for rent in an affiliate programme. Since then, it has been spread massively via exploit kits, infecting more and more users worldwide, mostly in the APAC (Asia-Pacific) region. As of now, there are six major versions.

There have been multiple successful attempts to decrypt users' files without paying a ransom. At the end of July 2016, Trend Micro released a partially working decryptor for the first version of Cerber [1]. In early August, we had the chance to take a look at the original Cerber decryptor code that was available for download upon payment of the ransom. Our main goal was to discover a flaw, based on the standard approaches we use against ransomware. From our perspective, it wouldn't be as much fun if such a flaw was one of the expected bugs - and fortunately, the one we discovered wasn't. However, as with any flaw, you need to hide the solution from the criminals.

In an ironic twist, the ransomware authors released a new Cerber 2 version the day before we were due to release our decryptor. In order to be able to provide our decryption tool to as many victims as possible, we gathered forces and were able to adapt it to the new version on the same day, thus managing to reveal it on time. The tool was used by many victims worldwide. ([2, 3] gives the whole story about the ransomware's fatal flaw and free decryption service installation.)

Do you want to dive deep into the background of Cerber as a service, the business operations, the money flow between the attacker and the affiliate, full global infection statistics, and the estimated overall profit of the criminals' profits [4]? For the first time, that story will be told.









Stanislav Skuratovich

Stanislav Skuratovich works as a malware reverse engineer at Check Point Software Technologies. He is interested in how things work from the inside, so any type of software/hardware reverse engineering is his hobby. He is very passionate about embedded devices. At work he deals with sophisticated malware, develops automated systems for analysis & clustering DGA-enabled malware, and discovers new sandbox evasion techniques. His hobbies include travelling to deserted places, CTFs sometimes, and learning new stuff.



Yaniv Balmas

Yaniv Balmas is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently a Security Research Group Manager at Check Point Software Technologies.

   Read paper    Watch video






Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.