Nine circles of Cerber

Wednesday 4 October 14:00 - 14:30, Red room

Stanislav Skuratovich (Check Point Software Technologies)
Or Eshed (Check Point Software Technologies)



Without a doubt, 2016 was the year of ransomware. What makes ransomware so attractive to attackers is that it offers the possibility of large profits without requiring too much effort. With the availability of ransomware-as-a-service, someone with very little actual knowledge of computers can easily manage a highly profitable campaign. A wide variety of different ransomware families have appeared over the past year, including Locky, CryptoWall and CryptXXX, to name just a few. Let's talk about the very profitable Cerber.

The Cerber ransomware was mentioned for the first time in March 2016 on some Russian underground forums, on which it was offered for rent in an affiliate programme. Since then, it has been spread massively via exploit kits, infecting more and more users worldwide, mostly in the APAC (Asia-Pacific) region. As of now, there are six major versions.

There have been multiple successful attempts to decrypt users' files without paying a ransom. At the end of July 2016, Trend Micro released a partially working decryptor for the first version of Cerber [1]. In early August, we had the chance to take a look at the original Cerber decryptor code that was available for download upon payment of the ransom. Our main goal was to discover a flaw, based on the standard approaches we use against ransomware. From our perspective, it wouldn't be as much fun if such a flaw was one of the expected bugs - and fortunately, the one we discovered wasn't. However, as with any flaw, you need to hide the solution from the criminals.

In an ironic twist, the ransomware authors released a new Cerber 2 version the day before we were due to release our decryptor. In order to be able to provide our decryption tool to as many victims as possible, we gathered forces and were able to adapt it to the new version on the same day, thus managing to reveal it on time. The tool was used by many victims worldwide. ([2, 3] gives the whole story about the ransomware's fatal flaw and free decryption service installation.)

Do you want to dive deep into the background of Cerber as a service, the business operations, the money flow between the attacker and the affiliate, full global infection statistics, and the estimated overall profit of the criminals' profits [4]? For the first time, that story will be told.

[1] http://blog.trendmicro.com/trend-micro-ransomware-file-decryptor-updated/

[2] http://www.bleepingcomputer.com/news/security/check-point-releases-working-decryptor-for-the-cerber-ransomware/

[3] http://www.bankinfosecurity.com/cerber-2-ransomware-free-decryption-tool-released-a-9341

[4] http://blog.checkpoint.com/2016/08/16/cerberring/

 

 

Stanislav-Skuratovich-web.jpg

Stanislav Skuratovich

Stanislav Skuratovich works as a malware reverse engineer at Check Point Software Technologies. He is interested in how things work from the inside, so any type of software/hardware reverse engineering is his hobby. He is very passionate about embedded devices. At work he deals with sophisticated malware, develops automated systems for analysis & clustering DGA-enabled malware, and discovers new sandbox evasion techniques. His hobbies include travelling to deserted places, CTFs sometimes, and learning new stuff.

 

   


Register.jpg

VB2017 OVERVIEW

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…