Cerber, the latest ransomware threat, doesn’t just encrypt all of your files: it also tells you about it, out loud, and repeatedly. It’s like something out of a 90s hacker movie, except this isn’t fake: your files really are all gone until you pay up.
“Attention! Attention! Attention!” is what infected computers will say to their users, using the text-to-speech engine built into Windows. “Your documents, photos, databases, and other files have been encrypted!”
Ransomware is malware that infects a users’ computer, then starts encrypting all of the files on it. Assuming users don’t have backups, the only way to get files back is to pay the hackers for a decryption key. Cerber is the latest in a long line of similar attacks, but is unique in a few ways, including the bizarre voice.
Cerber’s modis operandi is outlined in a blog post by Lawrence Abrams of security blog BleepingComputer, which explains that copies of the ransomware are reportedly available for sale on an underground Russian hacker forum. Essentially, this is a franchise model: would-be hackers can use the ransomware, but the original creator also gets a cut.
When the malware spreads to a new machine, it first checks to see if that computer is inside particular countries including Russia and a number of former Soviet block nations. If the laptop is within those borders, the malware won’t do anything.
Then Cerber sets the computer to start in safe mode after the next reboot, and allows itself to run constantly: at boot, as the computer’s screensaver, and every minute just for good measure.
After a few forced reboots, Cerber will scan your computer for certain filetypes including Office documents, photos, PDFs, music, and most other common filetypes, and encrypt them with the near-uncrackable AES-256 algorithm. Cerber can also scan the network for Windows shares, and encrypt files on those machines as well.
Once the ransomware finishes encrypting files, it starts announcing its presence. HTML and TXT files in each encrypted folder explain what has happened, and direct users to install TOR and visit a particular page in order to pay up. For $500, victims can regain access to their files. The VBS files, meanwhile, triggers the aforementioned audio announcement.
There’s currently no way to decrypt the files for free, which means users who really want access to their files are likely to pay up.
If you want to keep yourself safe from threats like this, make sure you have an up-do-date anti-malware application, use common sense while browsing, and make sure you keep backups of all your files.