Cerber2 Ransomware
Posted: August 5, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 8,105 |
|---|---|
| Threat Level: | 10/10 |
| Infected PCs: | 168,369 |
| First Seen: | March 4, 2016 |
|---|---|
| Last Seen: | October 16, 2023 |
| OS(es) Affected: | Windows |
The Cerber2 Ransomware is the successor of the Cerber Ransomware, a threat that went rampant for months before finally being stopped by malware researchers who developed the Cerber Decryptor successfully, a utility capable of restoring the files that the Cerber Ransomware had encrypted previously. However, it seems like the original threat's authors will not give up, and their new product, the Cerber2 Ransomware, comes with a ton of improvements that make it more difficult to detect and decrypt.
The corrupted files used to spread the Cerber2 Ransomware are packed via a new technique that is more successful at disguising the harmful traits of the file. However, anti-virus product vendors are already aware of this, and most reputable anti-malware products can detect the Cerber2 Ransomware's signature and stop if before it does any damage. Unfortunately, users without sufficient threat protection may not be able to do much once the Cerber2 Ransomware starts encrypting their computer's files. The second version of this crypto threat utilizes the Microsoft API CryptGenRandom function and generates a unique 32-bit encryption key for every victim. The key is stored on a remote Command & Control server so that it would be impossible for cyber security experts to get their hands on the data they need to decrypt files that the Cerber2 Ransomware locks.
Every file that the Cerber2 Ransomware locks is renamed to include the '.the Cerber2' file extension. Furthermore, the ransomware drops several ransom notes on the user's desktop that are stored in the following files: # DECRYPT MY FILES #.HTML, # DECRYPT MY FILES #.TXT, # DECRYPT MY FILES #.VBS. The ransom note states that the users who wish to restore their files must pay a ransom fee. The amount of the fee isn't mentioned, but the original Cerber Ransomware asked for 1.4 BTC (~$800) using the payment instructions seen in the note. Failing to pay the sum in one week will double the ransom fee to the staggering 2.8 BTC (~$1600). Regardless of the money the Cerber2 Ransomware asks for, users must not comply with the request, and they must not send any money to the authors of the attack! Despite the lack of a free decryptor, users might still be able to restore their data partially via tools like the Shadow Explorer and the Windows System Restore. Another option is to save the encrypted files in case a free decryptor becomes available soon.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%ALLUSERSPROFILE%\Readme.hta
File name: Readme.htaSize: 9.07 KB (9077 bytes)
MD5: 8f85ab4bb455ce6d413eff9e9d47a506
Detection count: 126
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\README.hta
File name: README.htaSize: 63.11 KB (63113 bytes)
MD5: 777e13c9a5cad4e1d2134d5104188ff6
Detection count: 101
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\README.hta
File name: README.htaSize: 61.8 KB (61802 bytes)
MD5: c4fff6005b70cccd895082e6c79595b3
Detection count: 84
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\wP6fT.exe
File name: wP6fT.exeSize: 322.56 KB (322560 bytes)
MD5: 731279e3c09f8e52a849c0a9c1043bb5
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 18, 2017
%APPDATA%\_HELP_HELP_HELP_GLP9_.hta
File name: _HELP_HELP_HELP_GLP9_.htaSize: 75.86 KB (75864 bytes)
MD5: 5f7533c663ddb4c0ae4dbbaafb50d491
Detection count: 60
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\README.hta
File name: README.htaSize: 63.05 KB (63059 bytes)
MD5: e189ce9640edc95a1ba19d0d4d85691b
Detection count: 56
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: February 24, 2017
%APPDATA%\_HELP_HELP_HELP_SUXEZY_.hta
File name: _HELP_HELP_HELP_SUXEZY_.htaSize: 75.9 KB (75904 bytes)
MD5: 5190e890725bf431ba44001e190c70f5
Detection count: 56
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_READ_THI$_FILE_DB3DT9_.hta
File name: _READ_THI$_FILE_DB3DT9_.htaSize: 77.05 KB (77053 bytes)
MD5: 7476a75b0680d99f5338b886bc7def62
Detection count: 54
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
file.exe
File name: file.exeSize: 243.74 KB (243748 bytes)
MD5: 212fa73fd6ed39b4720bcfd8d97426d5
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 26, 2017
%APPDATA%\README.hta
File name: README.htaSize: 63.14 KB (63140 bytes)
MD5: 107ab5eae352dab9defab24d3ba77b4a
Detection count: 42
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: February 24, 2017
%APPDATA%\_HELP_HELP_HELP_2R9I63OS.hta
File name: _HELP_HELP_HELP_2R9I63OS.htaSize: 75.78 KB (75787 bytes)
MD5: a2daec078c54bb6bc5e96038a1506f2c
Detection count: 34
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_HUUKTW_.hta
File name: _HELP_HELP_HELP_HUUKTW_.htaSize: 75.86 KB (75864 bytes)
MD5: 0224da72bc3638b351cf509cdfc443c2
Detection count: 30
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_RSHI_.hta
File name: _HELP_HELP_HELP_RSHI_.htaSize: 75.9 KB (75904 bytes)
MD5: a46e5f2ce8a20bbb8548959debb9ac0c
Detection count: 23
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_STOV8H1_.hta
File name: _HELP_HELP_HELP_STOV8H1_.htaSize: 75.86 KB (75864 bytes)
MD5: 1632ca0953d5499bf251455159a80ea0
Detection count: 14
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_ND8FZ.hta
File name: _HELP_HELP_HELP_ND8FZ.htaSize: 75.78 KB (75787 bytes)
MD5: 041ef4b6a12e0b3165172884301b0d1e
Detection count: 12
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}\cmdkey.exe
File name: cmdkey.exeSize: 659.58 KB (659585 bytes)
MD5: 27cf39d205567505d840391e4761a7a0
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}
Group: Malware file
Last Updated: October 17, 2018
%APPDATA%\_HELP_HELP_HELP_XFCV_.hta
File name: _HELP_HELP_HELP_XFCV_.htaSize: 75.9 KB (75904 bytes)
MD5: 01ec9e50d17de043a23997d6562293ad
Detection count: 7
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_3NNARI.hta
File name: _HELP_HELP_HELP_3NNARI.htaSize: 75.78 KB (75787 bytes)
MD5: 0ef13a9213c456db231825061eec294c
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_L41VV_.hta
File name: _HELP_HELP_HELP_L41VV_.htaSize: 75.86 KB (75864 bytes)
MD5: c63b4a524713e4c5f3802463cb46dab8
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_READ_THI$_FILE_L81EB65A_.hta
File name: _READ_THI$_FILE_L81EB65A_.htaSize: 77.01 KB (77010 bytes)
MD5: 2a6828d2ba37bb97efb4773619b80715
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
More files
Registry Modifications
File name without path# DECRYPT MY FILES #.html# DECRYPT MY FILES #.url# DECRYPT MY FILES #.vbs_README_.hta
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.