Cyble recently reported on the resurgence of Cerber2021 ransomware, which targets both Windows and Linux systems.
- Cerber2021 is a ransomware family targeting both Windows and Linux systems.
- Cerber2021 uses different code and encryption methods than the older versions of Cerber.
- Threat actors recently leveraged CVE-2022-26134 (Confluence Server OGNL injection vulnerability) to infect systems with Cerber2021.
Cerber2021, also known as CerberImposter, is a ransomware family. The original Cerber ransomware is a RaaS (ransomware as a service), first seen in the wild in 2016. Cerber2021 was identified in late 2021, leveraging CVE-2021-26084 and CVE-2021-22205 to target Confluence and Gitlab servers. This new variant targets both Windows and Linux systems and uses different code and encryption methods than the older versions of Cerber.
According to Cyble, the ransomware is sophisticated, and threat actors are using unpatched or recently patched vulnerabilities to spread Cerber2021. Earlier this month, Microsoft noted CVE-2022-26134 was being leveraged to download and launch Cerber2021. CVE-2022-26134 affects Confluence Server and Data Center. CVE-2022-26134 is an OGNL injection vulnerability allowing an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance. CVE-2022-26134 could allow a threat actor to gain remote control of unpatched servers.
According to an analysis by Cyble, the malicious file in the variant targeting Windows is a 32-bit GUI based binary. When executed, the malware checks for three mutex strings indicating prior Cerber2021 infection and terminates execution if any of the strings are found. Cerber2021 uses the Crypto++ Library for encryption. The malware checks drives “C:\” to “Z:\” and targets a wide range of file types for encryption. Cerber2021 appends the .locked extension to encrypted files. Following encryption, Cerber2021 generates a Tor Onion URL link by appending a dynamically generated key at the end. In the variant targeting Windows, Cerber2021 uses the ShellExecuteA() API function to delete the ransomware file after infection.
Cyble also analyzed a sample of the Cerber2021 variant targeting Linux systems. They found that the malicious file is a 64-bit UPX-packed ELF binary. The Linux variant operates similarly to the Windows variant.
Following infection from either variant, the victim is presented with a ransom note __$$RECOVERY_README$$__.html, which instructs them to contact the threat actors through the TOR site. The threat actors use double extortion tactics, threatening to leak stolen data if the victim does not contact them within 30 days.
PolySwarm has multiple samples associated with Cerber2021.
You can use the following CLI command to search for all Cerber2021 samples in our portal:
$ polyswarm link list -f Cerber2021
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports