Category Archives: Ransomware

Cerber Ransomware Evades Detection With Many Components

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.)

Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) that shows similarities to families such as Gamarue. Recent variants have added a loader component that appears to be designed to evade detection.

Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and takes advantage of exploit kits Angler, Nuclear, and others. Recently we have seen self-extracting archives.

Cerber’s infection path.

The SFX archive contains three files: VBS script, DLL, and an X component. The SFX file runs a VBS script using wscript.exe. The script executes a DLL-export function through rundll32.exe, which further decrypts and executes the encrypted X component. The last component checks for reversing environment techniques and injects the loader component into either Regasm.exe, Csc.exe or WerFault.exe.

The extracted archive:



The opening script, N3W7MN.VBS, has the following command:

The X component is fully encrypted and looks like this:

This DLL loads the first encrypted part (see next image) of the x component in memory; a second part looks for anti-reversing techniques. The first encrypted component:

This component does following:

  • Checks for antimalware engines.

  • Checks whether WireShark, a virtual machine, or VBox is running.

  • Adds the content of the VBS file into a run entry and runs one time.
  • The malware uses run entries to add the VBS script into the startup sequence so that the malicious VBS script executes at every reboot.

  • Adds an entry to the task scheduler to reside on the system for a long time. Tasks are by default stored in %WinDir%\Tasks or %WinDir%\System32\Tasks.

  • Decrypts the second component (see next image) from the X component and injects it into Regasm.exe or WerFault.exe to hide itself.

The decrypted second component checks for the .Net framework. If found, the malware checks the available version and injects code into it. If .Net is not found, it injects code into WerFault.exe. In this way, Cerber is effective against 32-bit and 64-bit machines:

The injected component has some interesting methods to bypass user account control, a feature that prevents unauthorized changes to a computer. Via notification, UAC assures that these changes are made only with the permission of the administrator. If a standard user account is in the local admin group, then damage is limited. Installing services, writing to secure locations, etc. are denied. To make these changes, users would need to interact with the desktop, such as with a right-click and run as administrator or accepting the UAC elevation prompt. There are number of ways to bypass UAC; one of them follows:

In the preceding code the value of “pszname” is “elevation:Administrator!new:{guid}”.


Cerber uses several key techniques:

  • Multicomponents to perform its tasks.
  • Uses several anti-debugging, anti-emulation techniques.
  • Bypasses UAC to gain elevated access.

Cerber uses these techniques to try to evade machine learning defenses. Defenders cannot rely on static machine learning; the security industry must adapt with dynamic machine learning or consider multiple technologies to proactively protect systems.

McAfee advises users to always keep their antimalware signatures up to date. McAfee products detect all versions of this malware as Ransom-Cerber!, with DAT Versions 8489 and later.

Hashes used in this analysis:

  • 352f1ac1407a551e42c270a8d381ed7c2d74718356cee3c2206bb4836ea6349f: SFX
  • 4d66976a9c20c859d44ea0df2d3325d35ed4556d83d5251384dbd4b790537d11: DLL

Source : : Blog

Ransomware Variant XTBL Another Example of Popular Malware

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.

A sample spam email may look like this:


We analyzed XTBL and found it does the following:

  • Encrypts and deletes all user files including executables.
  • Deletes all backup copies.
  • Adds self-copies for rerunning.
  • Demands ransom.

After its activity, XTBL sets wallpaper as below:



In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.


This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:

  • RSA key size (first 4-byte group).
  • RSA key followed by key size.


  • RSA exponent:


  • Mail ID, where all information is sent:


  • “Magic” number used:
    • 006VGL (6 bytes). We have observed that each variant uses a different magic number though the pattern remains same, for example, 00{number}[A-Z]{3}.
  • Name of mutex created:
    • Global\snc_{filename}
  • Path to exclude from encryption:
    • %windir%
  • Files to exclude from encryption:
    • Svchost.exe
    • Explorer.exe
    • Boot.ini
  • Name of dropped components:
    • How to decrypt your files.txt.
    • DECRYPT.jpg
    • %desktop%\Log.txt
  • For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:
    • Software\Microsoft\Windows\CurrentVersion\Run

It also sends 159 bytes of data to the host:


This data contains the victim’s computer name, globally unique identifier, user ID, and magic number:


This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:

  • Traversing directory
  • Renaming file
  • File encryption
  • Deleting original file

This ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique.


We found several steps for encrypting files.

Key generation

20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:


The key is generated:

  • Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)
  • Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)
  • Dword_42C0AC = Dword_42C0A8 ^ rand ()
  • Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0

The key may look like this:


The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.


These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.

To summarize, key is generated using following pseudocode:

  • Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])
  • Key = RC4(md5(Data),Data)

The key is encrypted using an RSA key in the configuration information.


File encryption

Files are encrypted using the AES256 algorithm.


Original files will be deleted after encryption and encrypted files will be renamed as follows:

  • Filename.ID{Id}.mail_address.XTBL


Each of the encrypted files is appended with data that holds some important fields:

  • Encrypted filename
  • Magic number (6 bytes)
  • Randomly generated initial vector for each file (10 bytes)
  • Padding (10 bytes)
  • RSA block (80 bytes)


List of Domains


How to prevent this infection

We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.

McAfee products detect these XTBL variants as Ransom-XTBL-FUL!<partial-md5> and Ransom-XTBL-FUM!<partial-md5>.

Source : : Blog

Petya More Effective at Destruction Than as Ransomware

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: Cerber, Locky, and WannaCry.
Generally, the goal of ransomware is financial gain. For a ransomware family to make money in the long term, it must be able to both encrypt and decrypt files. These steps ensure that once payment is sent, data can be recovered. Otherwise, victims will learn that payments are worthless and the ransomware industry’s reputation will suffer, along with the loss in revenue for the criminal. Cerber, Locky, and WannaCry all had methods for decrypting files after encryption. Unlike Cerber and Locky, however, WannaCry lacked victim identification, which left most victims with encrypted disks even after payment. The recent Petya campaign does not include the capability to decrypt files due to changes in the key and victim ID, with or without payment. The word is spreading, and we can expect more and more victims to stop paying the ransom. In a financially motivated campaign, this significantly reduces the ransomware’s effectiveness. Thus, the orchestrators of this campaign appear to be either short sighted or not financially motivated.
What other indicators do we have of the attackers’ motivation? The behavior of malware can also help us infer intent of the authors. Let’s look at some key behaviors of the new campaign. Namely, the way it finds new hosts; the files it chooses to encrypt; its stealth tactics; and its ransom-note injunction with the method for collecting payment.
When Petya seeks new hosts it first checks to see if it is installed on a domain controller. If it is, it looks for the DHCP server service to understand the local network. Using this information, it then scans only the local network. If not on a domain controller, it uses an address resolution protocol (ARP) scan technique to discover the local network. See our previous post for more technical details.

In contrast, WannaCry generates random IP addresses to attempt to attack potential targets, not limited to the local network, allowing it to spread across the Internet. Cerber and Locky do not have a built-in spreading mechanism; they mostly use combinations of botnets and email spam or other social engineering techniques to infect users. If money is the motivation, as it is with traditional ransomware, the larger the spread across the Internet the better. Local spreading of the malware is more likely to cripple or sabotage a specific organization and less likely to spread across organizations. In this case, however, Petya also started to spread globally. One or more targets in the Ukraine were the first to be attacked. The infections spread from there. We believe that the Petya attackers did not intend to reach so broad an audience during the initial attack, yet still caused a lot of collateral damage.
The core function of ransomware is to encrypt files. Arguably the more files that are encrypted, the more effective the ransomware is. Encrypted files are the motivation for victims to pay ransoms. Most ransomware limits that files it encrypts based on file extension to ensure the victim’s system is still functional and the victim can pay the ransom.

In the preceding table, we compare the number of file types encrypted by the different ransomware families. A variant of Petya from nearly one year ago listed 228 extensions for encryption. These numbers show a large amount of coverage and the motivation to withhold as many files as possible without crippling the system. The recent Petya campaign targets only 65 file types and significantly reduces the time it takes for victims’ files to be fully encrypted. Although there can be reasons for speedy encryption, the actors sacrificed potentially important files, which cannot be used as leverage to entice victims to pay the ransomware.
When Cerber, Locky, WannaCry and previous Petya variants encrypt a file, they add their own extension to the file. This shows the user that the file is still there, but no longer in the usual format. The current Petya does not add an extension to a file after encryption. The users remain unaware of encryption or even which files are encrypted. They may not know if an important file they rarely access is indeed on the list of files they can no longer access. Instead of rebooting immediately, Petya restarts the system after an hour, allowing the malware some time to attack the network before anyone notices. Its priorities are to infect as many machines as possible instead of getting a ransom from a particular victim.
How do we explain Petya’s attacks against the master boot record and master file table? These render the entire system unusable. In this case why does encrypting files matter? The attack on the boot record and file table are similar to the behavior of the previous version of Petya, but there is one important difference. In research reported by Hasherezade, the new Petya destroys the Salsa20 cipher key by erasing it from the disk. In previous versions of Petya, the key is backed up in the victim’s ID before being erased—allowing for the recovery of the disk. Hasherezade also shows that the victim’s ID is generated before the random Salsa20 key is made, proving there is no relationship between the Salsa20 key and the victim’s ID. A reboot is required for this overwrite to take effect and supports the priorities we have mentioned. This difference in priorities implies the attackers are looking for pure destruction—closer in behavior to campaigns like Shamoon rather than ransomware such as Cerber, Locky, and WannaCry.
Before infection After infection

Before After

Another distinct characteristic of the new Petya is that it attempts to cover its tracks. This variant has code to delete Windows event logs to make it harder for researchers to discover what it does. This secrecy is not present in major ransomware families such as Cerber, Locky, or WannaCry. Ransomware by nature is not stealthy; it needs to be seen by the user. It must be visible for the attackers to get paid. It is not uncommon to see antimalware evasion techniques in ransomware, but Petya’s cleanup at the end of the infection does not provide any coverage against antimalware products. Removing Windows logs does not match the normal steps of ransomware.

For ransomware to be financially effective, it needs a mechanism to collect payments. Cerber, Locky, and WannaCry use the TOR network in conjunction with a Bitcoin wallet. If the ransom is not sent within a certain time, the cost increases. This ticking clock pushes the user to pay as quickly as possible, a common social engineering technique. The use of TOR also makes the malware difficult to track. Petya uses a Bitcoin wallet but provides an email address to contact. It does not set a time limit or threaten to increase the cost. Effectively, it removes proven techniques used in the past to increase profits. Although email can be difficult to track, it provides more clues for law enforcement to follow than a TOR web page. A financially motivated attacker will try to force a user to pay as soon as possible, as we have seen in other ransomware campaigns.
The attacks that began on June 27 by the new Petya campaign are no doubt malicious and caused serious damage. In the rush to find solutions and combat this new threat, is it possible the world miscategorized this new threat? Our analysis comparing Petya to previous ransomware families supports the idea that this attack was not ransomware but was intended to maximize destruction. The attackers decisions regarding propagation suggest they may have had a certain group or groups in mind as targets. The security industry has seen many examples of campaigns intended to destroy systems, such as Shamoon and Shamoon 2.
Unfortunately, we expect to see more targeted acts of destruction in the future. The industry has also been knee deep in numerous new ransomware families and variants during the last two years. However, two major recent families seem to break the ransomware mold: to a lesser extent, WannaCry, which has more ransomware capabilities, and, to a greater extent, the new Petya variant, which appears to be significantly more interested in destruction than money. (We expressed our suspicions about WannaCry in “Is WannaCry Really Ransomware ?”) For malware like this, demanding a ransom may be a red herring, merely a distraction to hide its true intentions.

Source : : Blog