Cerber (Crypto-Ransomware)

Les malwares de type Ransomware et rançongiciels
Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Cerber (Crypto-Ransomware)

Message par Malekal_morte » 27 févr. 2016 18:51

Cerber est un Crypto-Ransomware (rançongiciel chiffreur de fichiers) apparu fin Février 2016 qui vise essentiellement les systèmes d'exploitation Windows et les partages de réseau. Cerber est différent en ce sens qu'il porte ce type de menace à un niveau bien supérieur aux autres rançongiciels actuellement diffusés. ( lire : Cerber donne la chair de poule aux victimes ).

Présentation du ransomware Cerber

Comme tous les ransomwares issues de groupes professionnels, ce dernier évolue dans le temps.
Actuellement, nous en sommes à la version 6.
Voici un résume de tous les campagnes et versions.

Initialement, Cerber modifie les extensions de fichiers chiffrés en .cerber et dépose les fichiers:
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.vbs
Première variante du ransomware Cerber en vidéo :


Dernière variante :

  • Extensions aléatoires
  • instructions en français avec des fichiers .hta
Les instructions de paiements sont sur le réseau TOR.
Vous devez acheter en Bitcoin le Cerber Decryptor.

Voici la page contenant les instructions d'achat :

Image

Image

et dernière variante en français :

Image

Image

Version texte des instructions de Cerber Ransomware :
C E R B E R
-----------
Your documents, photos, databases and other important files have been encrypted!
To decrypt your files follow the instructions:

---------------------------------------------------------------------------------------

1. Download and install the "Tor Browser" from https://www.torproject.org/
2. Run it
3. In the "Tor Browser" open website:
http://decrypttozxybarc.onion/6FBA-1FBA-BD8D-0042-FFF5
4. Follow the instructions at this website

---------------------------------------------------------------------------------------
«...Quod me non necat me fortiorem facit.»
Image

Les documents chiffrés par le Ransomware Cerber avec l'extension .cerber :
Image

Microsoft peut avec Windows Defender parfois le détecter en Ransom:Win32/Cerber.B ou Behaviour:Win32/Cerber.gen!A

Image

Ransom.Cerber chez Malwarebytes Anti-Malware

Image

Chez NOD32 Win32/FileCoder.Cerber

Image

Lorsque le dropper est bien détecté, on obtient :
SHA256: e9e8510d4ae6d8b2498079ec3100452dc78dbec24b10bf0fcaac84538f5d412a
File name: a.exe
Detection ratio: 25 / 54
Analysis date: 2016-06-15 07:06:44 UTC ( 2 minutes ago )

Antivirus Result Update
AVG Ransomer.LIQ 20160615
AVware Trojan.Win32.Reveton.a (v) 20160615
Ad-Aware Trojan.Ransom.Cerber.1 20160615
Arcabit Trojan.Ransom.Cerber.1 20160615
Avast Win32:Malware-gen 20160615
Avira (no cloud) TR/Crypt.XPACK.Gen7 20160614
Baidu Win32.Trojan.FileCoder.a 20160614
BitDefender Trojan.Ransom.Cerber.1 20160615
Cyren W32/Cerber.A.gen!Eldorado 20160615
DrWeb Trojan.Encoder.4794 20160615
ESET-NOD32 Win32/Filecoder.Cerber.B 20160615
Emsisoft Trojan.Ransom.Cerber.1 (B) 20160615
F-Prot W32/Cerber.A.gen!Eldorado 20160615
F-Secure Trojan.Ransom.Cerber.1 20160615
Fortinet W32/Cerber.B!tr 20160615
GData Trojan.Ransom.Cerber.1 20160615
Malwarebytes Ransom.Cerber 20160615
eScan Trojan.Ransom.Cerber.1 20160615
Microsoft Ransom:Win32/Cerber.B 20160615
Panda Trj/GdSda.A 20160614
Qihoo-360 HEUR/QVM20.1.D0BE.Malware.Gen 20160615
Symantec Trojan.Cryptolocker.AH 20160615
Tencent Win32.Trojan.Filecoder.Taev 20160615
TrendMicro-HouseCall Ransom_HPCERBER.SM 20160615
VIPRE Trojan.Win32.Reveton.a (v) 20160615
Le ransomware Cerber évolue et est de plus en plus sophistiqué pour échapper aux détections antivirus ou programme anti-ransomware.
La dernière version est la version 6.
Voici un tableau qui récapitule les techniques de contournement antivirus :
cerber-chaine-infection-3.png
Ransomware Cerber version : - Source Trend-Micro : http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomware-evolution/

Comment le ransomware Cerber est distribué

Toujours par les mêmes méthodes, on retrouve notamment : Le schéma suivant récapitule la second partie à travers des campagnes de mails malicieux et des scripts malveillants (Comment se protéger des scripts malicieux sur Windows).
cerber-chaine-infection.jpg
Cerber distribution - Source Trend-Micro : http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomware-evolution/
Plus de détails sur les modes de distributions sur la page : Ransomware Cerber.

Image
Sécuriser son Windows : Comment éviter les ransomwares

Afin de sécuriser son Windows et éviter les ransomwares et d'autres menaces connues sur la toile, suivre le tutoriel de sécurisation de son Windows.
=> Sécuriser son Windows.

Récupérer les fichiers Cerber

La récupération des fichiers chiffrés par le ransomware Cerber est normalement impossible.
Du moins, les pirates cherchent à ce qu'il n'y est aucun moyen afin de vous obliger à payer.
Surveillez la page suivante, pour une mise à disposition d'un outil spécifique : Outils de décryptage (Decrypt Tools Ransomware)

Vous pouvez tenter de récupérer les fichiers avec Shadow Explorer - versions précédentes
Plus d'informations : Ransomware et récupération de fichiers

Sécuriser son Windows

Afin de sécuriser son Windows et éviter les ransomwares et d'autres menaces connues sur la toile, suivre le tutoriel de sécurisation de son Windows.
Comment se protéger des scripts malicieux sur Windows
et limiter PowerShell : Les virus Powershell

et plus globalement, suivez les conseils de la page : Sécuriser son Windows.
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 03 avr. 2016 13:08

Cerber Ranwomare toujours actif : Désinfection Ransomware Cerber.

Les fichiers d'instructions ont un peu changé :

Code : Tout sélectionner

# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.vbs

Code : Tout sélectionner

  
  
    /######  /######## /#######  /#######  /######## /#######
   /##__  ##| ##_____/| ##__  ##| ##__  ##| ##_____/| ##__  ##
  | ##  \__/| ##      | ##  \ ##| ##  \ ##| ##      | ##  \ ##
  | ##      | #####   | #######/| ####### | #####   | #######/
  | ##      | ##__/   | ##__  ##| ##__  ##| ##__/   | ##__  ##
  | ##    ##| ##      | ##  \ ##| ##  \ ##| ##      | ##  \ ##
  |  ######/| ########| ##  | ##| #######/| ########| ##  | ##
   \______/ |________/|__/  |__/|_______/ |________/|__/  |__/
  
  
  #########################################################################
  
  
  Cannot you find the files you need?
  Is the content of the files that you looked for not readable?
  
  It is normal because the files' names, as well as the data in your files
  have been encrypted.
  
  Great!!!
  You have turned to be a part of a big community #CerberRansomware.
  
  
  #########################################################################
  
  
  !!!  If you are reading this message it means the software
  !!!  "Cerber Ransomware" has been removed from your computer.
  
  
  #########################################################################
  
  
  What is encryption?
  -------------------
  
  Encryption is a reversible modification of information for security
  reasons but providing full access to it for authorized users.
  
  To become an authorized user and keep the modification absolutely
  reversible (in other words to have a possibility to decrypt your files)
  you should have an individual private key.
  
  But not only it.
  
  It is required also to have the special decryption software
  (in your case "Cerber Decryptor" software) for safe and complete
  decryption of all your files and data.
  
  
  #########################################################################
  
  
  Everything is clear for me but what should I do?
  ------------------------------------------------
  
  The first step is reading these instructions to the end.
  
  Your files have been encrypted with the "Cerber Ransomware" software; the
  instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
  in the folders with your encrypted files are not viruses, they will
  help you.
  
  After reading this text the most part of people start searching in the
  Internet the words the "Cerber Ransomware" where they find a lot of
  ideas, recommendations and instructions.
  
  It is necessary to realize that we are the ones who closed the lock on
  your files and we are the only ones who have this secret key to
  open them.
  
  !!!  Any attempts to get back your files with the third-party tools can
  !!!  be fatal for your encrypted files.
  
  The most part of the third-party software change data within the
  encrypted file to restore it but this causes damage to the files.
  
  Finally it will be impossible to decrypt your files.
  
  When you make a puzzle but some items are lost, broken or not put in its
  place - the puzzle items will never match, the same way the third-party
  software will ruin your files completely and irreversibly.
  
  You should realize that any intervention of the third-party software to
  restore files encrypted with the "Cerber Ransomware" software may be
  fatal for your files.
  
  
  #########################################################################
  
  
  !!!  There are several plain steps to restore your files but if you do
  !!!  not follow them we will not be able to help you, and we will not try
  !!!  since you have read this warning already.
  
  
  #########################################################################
  
  
  For your information the software to decrypt your files (as well as the
  private key provided together) are paid products.
  
  After purchase of the software package you will be able to:
  
  1.  decrypt all your files;
  
  2.  work with your documents;
  
  3.  view your photos and other media;
  
  4.  continue your usual and comfortable work at the computer.
  
  If you understand all importance of the situation then we propose to you
  to go directly to your personal page where you will receive the complete
  instructions and guarantees to restore your files.
  
  
  #########################################################################
  
  
  There is a list of temporary addresses to go on your personal page below:
   _______________________________________________________________________
  |                                                                       |
  |  1.  http://decrypttozxybarc.dconnect.eu/3EB9-22E4-0759-0301-8A8F     |
  |                                                                       |
  |  2.  http://decrypttozxybarc.tor2web.org/3EB9-22E4-0759-0301-8A8F     |
  |                                                                       |
  |  3.  http://decrypttozxybarc.onion.cab/3EB9-22E4-0759-0301-8A8F       |
  |                                                                       |
  |  4.  http://decrypttozxybarc.onion.to/3EB9-22E4-0759-0301-8A8F        |
  |                                                                       |
  |  5.  http://decrypttozxybarc.onion.link/3EB9-22E4-0759-0301-8A8F      |
  |_______________________________________________________________________|
  
  
  #########################################################################
  
  
  What should you do with these addresses?
  ----------------------------------------
  
  If you read the instructions in TXT format (if you have instruction in
  HTML (the file with an icon of your Internet browser) then the easiest
  way is to run it):
  
  1.  take a look at the first address (in this case it is
      http://decrypttozxybarc.dconnect.eu/3EB9-22E4-0759-0301-8A8F);
  
  2.  select it with the mouse cursor holding the left mouse button and
      moving the cursor to the right;
  
  3.  release the left mouse button and press the right one;
  
  4.  select "Copy" in the appeared menu;
  
  5.  run your Internet browser (if you do not know what it is run the
      Internet Explorer);
  
  6.  move the mouse cursor to the address bar of the browser (this is the
      place where the site address is written);
  
  7.  click the right mouse button in the field where the site address
      is written;
  
  8.  select the button "Insert" in the appeared menu;
  
  9.  then you will see the address
      http://decrypttozxybarc.dconnect.eu/3EB9-22E4-0759-0301-8A8F
      appeared there;
  
  10. press ENTER;
  
  11. the site should be loaded; if it is not loaded repeat the same
      instructions with the second address and continue until the last
      address if falling.
  
  If for some reason the site cannot be opened check the connection to the
  Internet; if the site still cannot be opened take a look at the
  instructions on omitting the point about working with the addresses in
  the HTML instructions.
  
  If you browse the instructions in HTML format:
  
  1.  click the left mouse button on the first address (in this case it is
      http://decrypttozxybarc.dconnect.eu/3EB9-22E4-0759-0301-8A8F);
  
  2.  in a new tab or window of your web browser the site should be loaded;
      if it is not loaded repeat the same instructions with the second
      address and continue until the last address.
  
  If for some reason the site cannot be opened check the connection to
  the Internet.
  
  
  #########################################################################
  
  
  Unfortunately these sites are short-term since the antivirus companies
  are interested in you do not have a chance to restore your files but
  continue to buy their products.
  
  Unlike them we are ready to help you always.
  
  If you need our help but the temporary sites are not available:
  
  1.  run your Internet browser (if you do not know what it is run the
      Internet Explorer);
  
  2.  enter or copy the address
      https://www.torproject.org/download/download-easy.html.en into the
      address bar of your browser and press ENTER;
  
  3.  wait for the site loading;
  
  4.  on the site you will be offered to download Tor Browser; download and
      run it, follow the installation instructions, wait until the
      installation is completed;
  
  5.  run Tor Browser;
  
  6.  connect with the button "Connect" (if you use the English version);
  
  7.  a normal Internet browser window will be opened after
      the initialization;
  
  8.  type or copy the address
       ________________________________________________________
      |                                                        |
      | http://decrypttozxybarc.onion/3EB9-22E4-0759-0301-8A8F |
      |________________________________________________________|
  
      in this browser address bar;
  
  9.  press ENTER;
  
  10. the site should be loaded; if for some reason the site is not loading
      wait for a moment and try again.
  
  If you have any problems during installation or operation of Tor Browser,
  please, visit https://www.youtube.com/ and type request in the search bar
  "install tor browser windows" and you will find a lot of training videos
  about Tor Browser installation and operation.
  
  If TOR address is not available for a long period (2-3 days) it means you
  are late; usually you have about 2-3 weeks after reading the instructions
  to restore your files.
  
  
  #########################################################################
  
  
  Additional information:
  
  You will find the instructions for restoring your files in those folders
  where you have your encrypted files only.
  
  The instructions are made in two file formats - HTML and TXT for
  your convenience.
  
  Unfortunately antivirus companies cannot protect or restore your files
  but they can make the situation worse removing the instructions how to
  restore your encrypted files.
  
  The instructions are not viruses; they have informative nature only, so
  any claims on the absence of any instruction files you can send to your
  antivirus company.
  
  
  #########################################################################
  
  
  Cerber Ransomware Project is not malicious and is not intended to harm a
  person and his/her information data.
  
  The project is created for the sole purpose of instruction regarding
  information security, as well as certification of antivirus software for
  their suitability for data protection.
  
  Together we make the Internet a better and safer place.
  
  
  #########################################################################
  
  
  If you look through this text in the Internet and realize that something
  is wrong with your files but you do not have any instructions to restore
  your files, please, contact your antivirus support.
  
  
  #########################################################################
  
  
  Remember that the worst situation already happened and now it depends on
  your determination and speed of your actions the further life of
  your files.
Image

Image

Image

Image

Image

Image

Le fond d'écran peut être aussi modifié par Cerber pour afficher les instructions de paiement :

Image
SHA256: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c
Nom du fichier : SndVol.exe
Ratio de détection : 16 / 56
Date d'analyse : 2016-04-03 10:57:20 UTC (il y a 2 minutes)
Antivirus Résultat Mise à jour
AVware Trojan.Win32.Generic!BT 20160403
Ad-Aware Gen:Variant.Razy.36318 20160403
Arcabit Trojan.Razy.D8DDE 20160403
Avira (no cloud) TR/Dropper.VB.bhdk 20160403
BitDefender Gen:Variant.Razy.36318 20160403
ESET-NOD32 Win32/Filecoder.Cerber.B 20160403
Emsisoft Gen:Variant.Razy.36318 (B) 20160403
F-Secure Gen:Variant.Razy.36318 20160403
GData Gen:Variant.Razy.36318 20160403
Malwarebytes Trojan.Injector.VB 20160403
eScan Gen:Variant.Razy.36318 20160403
Microsoft Trojan:Win32/Porest!dha 20160403
Qihoo-360 HEUR/QVM03.0.Malware.Gen 20160403
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160403
Tencent Win32.Trojan.Filecoder.Hvjd 20160403
VIPRE Trojan.Win32.Generic!BT 20160403
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 08 avr. 2016 12:56

Microsoft peut détecter ce ransomware en Ransom:Win32/Cerber

Image
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 11 avr. 2016 11:17

Actualités autour du rançongiciel chiffreur Cerber : https://blog.malwarebytes.org/threat-an ... vertising/
adsterratss_malvertising.png
Ransomware Cerber par malvertising AdsTerra
Liens connexes (ѠOOT):

Microsoft - The 3 heads of the Cerberus
https://blogs.technet.microsoft.com/mmp ... ansomware/

TrendMicro - Cerber, a crypto-ransomware that speaks, sold in Russian Underground
http://blog.trendmicro.com/trendlabs-se ... derground/

ICIT - Cerber, the latest weaponized encryption
https://icitech.org/wp-content/uploads/ ... Ranger.pdf

Team-Cymru - A look inside Cerber
http://blog.team-cymru.org/2016/04/a-lo ... ansomware/

FireEye - Cerber partners with Dridex
https://www.fireeye.com/blog/threat-res ... ridex.html
https://threatpost.com/cerber-ransomwar ... ts/118090/

Invincea - Cerber & DDoS attacks
https://www.invincea.com/2016/05/two-at ... os-attack/

Fortinet - Cerber marks its presence in the wild
https://blog.fortinet.com/2016/05/26/ce ... -and-locky

Invincea - New Cerber is morphing every 15 seconds
https://www.invincea.com/2016/06/hash-f ... 5-seconds/
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 27 mai 2016 23:59

Pour faire suite aux campagnes WebExploit avec Magnitude EK...

Le service de cloud storage Uptobox a été détourné à l'aide d'une malvertising ( publicité piégée ) qui redirige vers un kit d'exploitation de vulnérabilités délivrant Cerber : Malvertising sur Uptobox pousse le ransomware Cerber

Image

EDIT - 10 Juin : campagne de malvertising toujours active.
HA256: 8e7c4a205d390e00edcfcfdbd06c79b20309593341d6b24bc1815f74b4aa05a4
File name: a.exe
Detection ratio: 9 / 56
Analysis date: 2016-06-10 10:14:08 UTC ( 1 minute ago )

Ad-Aware Gen:Variant.Graftor.290274 20160610
Arcabit Trojan.Graftor.D46DE2 20160610
Baidu Win32.Trojan.WisdomEyes.151026.9950.9998 20160608
BitDefender Gen:Variant.Graftor.290274 20160610
Emsisoft Gen:Variant.Graftor.290274 (B) 20160610
F-Secure Gen:Variant.Graftor.290274 20160610
GData Gen:Variant.Graftor.290274 20160610
McAfee-GW-Edition BehavesLike.Win32.FakeAlertSecurityTool.ch 20160610
eScan Gen:Variant.Graftor.290274 20160610
Image

EDIT - Les jours suivants - d'autres régies publicitaires touchées :

Image

Image

Image
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 10 juin 2016 12:35

Le contenu du fichier d'instruction a un peu changé mais le nom et principe reste le même :
Image

Code : Tout sélectionner

  
  
  C E R B E R   R A N S O M W A R E
  
  
  #########################################################################
  
  
  Cannot you find the files you need?
  Is the content of the files that you looked for not readable?
  
  It is normal because the files' names, as well as the data in your files
  have been encrypted.
  
  Great!!!
  You have turned to be a part of a big community #Cerber_Ransomware.
  
  
  #########################################################################
  
  
  !!!  If you are reading this message it means the software
  !!!  "Cerber Ransomware" has been removed from your computer.
  
  
  #########################################################################
  
  
  What is encryption?
  -------------------
  
  Encryption is a reversible modification of information for security
  reasons but providing full access to it for authorized users.
  
  To become an authorized user and keep the modification absolutely
  reversible (in other words to have a possibility to decrypt your files)
  you should have an individual private key.
  
  But not only it.
  
  It is required also to have the special decryption software
  (in your case "Cerber Decryptor" software) for safe and complete
  decryption of all your files and data.
  
  
  #########################################################################
  
  
  Everything is clear for me but what should I do?
  ------------------------------------------------
  
  The first step is reading these instructions to the end.
  
  Your files have been encrypted with the "Cerber Ransomware" software; the
  instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
  in the folders with your encrypted files are not viruses, they will
  help you.
  
  After reading this text the most part of people start searching in the
  Internet the words the "Cerber Ransomware" where they find a lot of
  ideas, recommendations and instructions.
  
  It is necessary to realize that we are the ones who closed the lock on
  your files and we are the only ones who have this secret key to
  open them.
  
  !!!  Any attempts to get back your files with the third-party tools can
  !!!  be fatal for your encrypted files.
  
  The most part of the third-party software change data within the
  encrypted file to restore it but this causes damage to the files.
  
  Finally it will be impossible to decrypt your files.
  
  When you make a puzzle but some items are lost, broken or not put in its
  place - the puzzle items will never match, the same way the third-party
  software will ruin your files completely and irreversibly.
  
  You should realize that any intervention of the third-party software to
  restore files encrypted with the "Cerber Ransomware" software may be
  fatal for your files.
  
  
  #########################################################################
  
  
  !!!  There are several plain steps to restore your files but if you do
  !!!  not follow them we will not be able to help you, and we will not try
  !!!  since you have read this warning already.
  
  
  #########################################################################
  
  
  For your information the software to decrypt your files (as well as the
  private key provided together) are paid products.
  
  After purchase of the software package you will be able to:
  
  1.  decrypt all your files;
  
  2.  work with your documents;
  
  3.  view your photos and other media;
  
  4.  continue your usual and comfortable work at the computer.
  
  If you understand all importance of the situation then we propose to you
  to go directly to your personal page where you will receive the complete
  instructions and guarantees to restore your files.
  
  
  #########################################################################
  
  
  There is a list of temporary addresses to go on your personal page below:
   _______________________________________________________________________
  |
  |  1.  http://cerberhhyed5frqa.xmfhr6.win/38A1-5B33-80D3-0072-8421
  |
  |  2.  http://cerberhhyed5frqa.cmfhty.win/38A1-5B33-80D3-0072-8421
  |
  |  3.  http://cerberhhyed5frqa.dk59jg.win/38A1-5B33-80D3-0072-8421
  |
  |  4.  http://cerberhhyed5frqa.xmfu59.win/38A1-5B33-80D3-0072-8421
  |
  |  5.  http://cerberhhyed5frqa.er48rt.win/38A1-5B33-80D3-0072-8421
  |_______________________________________________________________________
  
  
  #########################################################################
  
  
  What should you do with these addresses?
  ----------------------------------------
  
  If you read the instructions in TXT format (if you have instruction in
  HTML (the file with an icon of your Internet browser) then the easiest
  way is to run it):
  
  1.  take a look at the first address (in this case it is
      http://cerberhhyed5frqa.xmfhr6.win/38A1-5B33-80D3-0072-8421);
  
  2.  select it with the mouse cursor holding the left mouse button and
      moving the cursor to the right;
  
  3.  release the left mouse button and press the right one;
  
  4.  select "Copy" in the appeared menu;
  
  5.  run your Internet browser (if you do not know what it is run the
      Internet Explorer);
  
  6.  move the mouse cursor to the address bar of the browser (this is the
      place where the site address is written);
  
  7.  click the right mouse button in the field where the site address
      is written;
  
  8.  select the button "Insert" in the appeared menu;
  
  9.  then you will see the address
      http://cerberhhyed5frqa.xmfhr6.win/38A1-5B33-80D3-0072-8421
      appeared there;
  
  10. press ENTER;
  
  11. the site should be loaded; if it is not loaded repeat the same
      instructions with the second address and continue until the last
      address if falling.
  
  If for some reason the site cannot be opened check the connection to the
  Internet; if the site still cannot be opened take a look at the
  instructions on omitting the point about working with the addresses in
  the HTML instructions.
  
  If you browse the instructions in HTML format:
  
  1.  click the left mouse button on the first address (in this case it is
      http://cerberhhyed5frqa.xmfhr6.win/38A1-5B33-80D3-0072-8421);
  
  2.  in a new tab or window of your web browser the site should be loaded;
      if it is not loaded repeat the same instructions with the second
      address and continue until the last address.
  
  If for some reason the site cannot be opened check the connection to
  the Internet.
  
  
  #########################################################################
  
  
  Unfortunately these sites are short-term since the antivirus companies
  are interested in you do not have a chance to restore your files but
  continue to buy their products.
  
  Unlike them we are ready to help you always.
  
  If you need our help but the temporary sites are not available:
  
  1.  run your Internet browser (if you do not know what it is run the
      Internet Explorer);
  
  2.  enter or copy the address
      https://www.torproject.org/download/download-easy.html.en into the
      address bar of your browser and press ENTER;
  
  3.  wait for the site loading;
  
  4.  on the site you will be offered to download Tor Browser; download and
      run it, follow the installation instructions, wait until the
      installation is completed;
  
  5.  run Tor Browser;
  
  6.  connect with the button "Connect" (if you use the English version);
  
  7.  a normal Internet browser window will be opened after
      the initialization;
  
  8.  type or copy the address
       ________________________________________________________
      |                                                        |
      | http://cerberhhyed5frqa.onion/38A1-5B33-80D3-0072-8421 |
      |________________________________________________________|
  
      in this browser address bar;
  
  9.  press ENTER;
  
  10. the site should be loaded; if for some reason the site is not loading
      wait for a moment and try again.
  
  If you have any problems during installation or operation of Tor Browser,
  please, visit https://www.youtube.com/ and type request in the search bar
  "install tor browser windows" and you will find a lot of training videos
  about Tor Browser installation and operation.
  
  If TOR address is not available for a long period (2-3 days) it means you
  are late; usually you have about 2-3 weeks after reading the instructions
  to restore your files.
  
  
  #########################################################################
  
  
  Additional information:
  
  You will find the instructions for restoring your files in those folders
  where you have your encrypted files only.
  
  The instructions are made in two file formats - HTML and TXT for
  your convenience.
  
  Unfortunately antivirus companies cannot protect or restore your files
  but they can make the situation worse removing the instructions how to
  restore your encrypted files.
  
  The instructions are not viruses; they have informative nature only, so
  any claims on the absence of any instruction files you can send to your
  antivirus company.
  
  
  #########################################################################
  
  
  Cerber Ransomware Project is not malicious and is not intended to harm a
  person and his/her information data.
  
  The project is created for the sole purpose of instruction regarding
  information security, as well as certification of antivirus software for
  their suitability for data protection.
  
  Together we make the Internet a better and safer place.
  
  
  #########################################################################
  
  
  If you look through this text in the Internet and realize that something
  is wrong with your files but you do not have any instructions to restore
  your files, please, contact your antivirus support.
  
  
  #########################################################################
  
  
  Remember that the worst situation already happened and now it depends on
  your determination and speed of your actions the further life of
  your files.
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber en fichier cerber2

Message par Malekal_morte » 16 août 2016 12:44

L'extension utilisée par le ransomware Cerber passe à .cerber2 puis à .cerber3

Si vos fichiers portent l'extension .cerber2 ou .cerber3 , votre Windows a été infecté par le rançongiciel Cerber.

Liens connexes (ѠOOT):
( August 31, 2016 ) New Version of Cerber Ransomware Distributed via Malvertising
→ ( November 22, 2016 ) Cerber 5.0 - multicast UDP communication with C2 using new IP ranges
→ ( November 28, 2016 ) ImageGate: distributing malware through images via Social Networks
→ ( November 29, 2016 ) Cerber 5.0.1 ransomware spreading via Google & TOR
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 07 déc. 2016 15:25

Dernière variante du ransomware Cerber avec :
  • Extensions aléatoires
  • instructions en français avec des fichiers .hta
Le fond d'écran est toujours modifié avec un message en rouge.

Image

Image

Image


Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86216
Inscription : 10 sept. 2005 13:57
Contact :

Re: Cerber (Crypto-Ransomware)

Message par Malekal_morte » 03 avr. 2017 15:55

Un article complet sur l'exploit kit Magnitude qui vise à pousser le Ransomware Cerber : Actualité Magnitude EK.
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Répondre

Revenir vers « Ransomware »

Qui est en ligne ?

Utilisateurs parcourant ce forum : Aucun utilisateur inscrit et 1 invité