Executive Summary
Cyble recently reported on the resurgence of Cerber2021 ransomware, which targets both Windows and Linux systems.
Key Takeaways
- Cerber2021 is a ransomware family targeting both Windows and Linux systems.
- Cerber2021 uses different code and encryption methods than the older versions of Cerber.
- Threat actors recently leveraged CVE-2022-26134 (Confluence Server OGNL injection vulnerability) to infect systems with Cerber2021.
Cerber2021, also known as CerberImposter, is a ransomware family. The original Cerber ransomware is a RaaS (ransomware as a service), first seen in the wild in 2016. Cerber2021 was identified in late 2021, leveraging CVE-2021-26084 and CVE-2021-22205 to target Confluence and Gitlab servers. This new variant targets both Windows and Linux systems and uses different code and encryption methods than the older versions of Cerber.
According to Cyble, the ransomware is sophisticated, and threat actors are using unpatched or recently patched vulnerabilities to spread Cerber2021. Earlier this month, Microsoft noted CVE-2022-26134 was being leveraged to download and launch Cerber2021. CVE-2022-26134 affects Confluence Server and Data Center. CVE-2022-26134 is an OGNL injection vulnerability allowing an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance. CVE-2022-26134 could allow a threat actor to gain remote control of unpatched servers.
Windows Variant
According to an analysis by Cyble, the malicious file in the variant targeting Windows is a 32-bit GUI based binary. When executed, the malware checks for three mutex strings indicating prior Cerber2021 infection and terminates execution if any of the strings are found. Cerber2021 uses the Crypto++ Library for encryption. The malware checks drives “C:\” to “Z:\” and targets a wide range of file types for encryption. Cerber2021 appends the .locked extension to encrypted files. Following encryption, Cerber2021 generates a Tor Onion URL link by appending a dynamically generated key at the end. In the variant targeting Windows, Cerber2021 uses the ShellExecuteA() API function to delete the ransomware file after infection.
Linux Variant
Cyble also analyzed a sample of the Cerber2021 variant targeting Linux systems. They found that the malicious file is a 64-bit UPX-packed ELF binary. The Linux variant operates similarly to the Windows variant.
Following infection from either variant, the victim is presented with a ransom note __$$RECOVERY_README$$__.html, which instructs them to contact the threat actors through the TOR site. The threat actors use double extortion tactics, threatening to leak stolen data if the victim does not contact them within 30 days.
IOCs
PolySwarm has multiple samples associated with Cerber2021.
46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb
078de7d019f5f1e546aa29af7123643bd250341af71506e6256dfee8f245a2a7
84cbffb84b7c9ced79b511f82a15414d9202ab68479dfe44cec7b745ed12f973
Eba0482a5b1232db451b1a745dd8e99defb9f1194b070e2f5c20eeb251296a86
772cad26853c7d8ea8f1023f6e3cba219cc9bb1db1cd31ad2b979e59d3d9c631
You can use the following CLI command to search for all Cerber2021 samples in our portal:
$ polyswarm link list -f Cerber2021
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports