Cerber 6 Ransomware

Posted: May 5, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	8,105
Threat Level:	10/10
Infected PCs:	168,369

First Seen:	March 4, 2016
Last Seen:	October 16, 2023
OS(es) Affected:	Windows

The Cerber 6 Ransomware is a spring 2017 update to the Cerber Ransomware family, providing additional anti-security features and a new, potentially more secure encryption routine. Installation methods for this category of threats focus on e-mail spam attachments, which conceal the Trojan's installer as being a safe content. Back up your files and disregard ransom demands, when possible, to protect your data from this Trojan, and use anti-malware products for removing the Cerber 6 Ransomware whenever it succeeds in infecting your PC.

The Threat Weather Report for Spring

The Cerber Ransomware family still is one of the most profitable ones in the RaaS (or Ransomware-as-a-Service) sub-sector of the threat industry, making it an ongoing threat to anyone who doesn't back their files up to another drive. Various threat actors renting it from its central team are distributing the latest version of this family, the Cerber 6 Ransomware, live. All known infection vectors for the Cerber 6 Ransomware variant utilize e-mail attachments, specifically, compressed ZIP archives. 
The Cerber 6 Ransomware doesn't install itself immediately. After the archive's interior executable launches, the loader checks the system for telltale signs of an analysis environment such as a sandbox. For such systems, the Trojan never loads. For others, the Cerber 6 Ransomware is set to run after a two-minute delay (another, new anti-security feature) and start encrypting your local files.

Malware analysts also can verify that the Cerber 6 Ransomware uses a different algorithm for locking your files, with a basis in the CryptoAPI instead of the RSA. The files that the Cerber 6 Ransomware blocks are up to the third-party con artists renting it and the Trojan can differentiate between media due to both the format and the directory location. After taking these files hostage, it drops an HTA extortion message that supports multiple languages, including French, English and Turkish.

Stopping Ready-Baked Trojans from Raining Money onto Their Creators

The Cerber 6 Ransomware's authors have a long history of showing reasonable, basic proficiency in coding threats that are both efficient and profitable. The new implementation of the Cerber 6 Ransomware also is highly expressive of how adjustable their design goals can be, with previous features replaced by new ones serving similar functions, but with lower detection rates by security tools. Although the Cerber 6 Ransomware no longer terminates the memory processes of other programs, it does block outgoing network traffic for some software, particularly ones associated with major anti-malware and security companies.

PC users needing to recover their files by decrypting them should avoid using decryption utilities meant for old versions of the Cerber Ransomware family, which use different algorithms. Because paying ransoms doesn't always result in access to a real decryptor, malware experts recommend using backups for counteracting new threats of this classification, like the Cerber 6 Ransomware. The Trojan may delete local backup content, meaning that backups stored on cloud servers or peripherals are more likely of being safe.

PC users with even bare bones knowledge of the current threat industry will know enough to scan suspicious attachments and delete the Cerber 6 Ransomware before any encryption ever can trigger. For those less informed, their files may be one scheduled task away from being enciphered permanently.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%ALLUSERSPROFILE%\Readme.hta

File name: Readme.hta
Size: 9.07 KB (9077 bytes)
MD5: 8f85ab4bb455ce6d413eff9e9d47a506
Detection count: 126
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\README.hta

File name: README.hta
Size: 63.11 KB (63113 bytes)
MD5: 777e13c9a5cad4e1d2134d5104188ff6
Detection count: 101
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\README.hta

File name: README.hta
Size: 61.8 KB (61802 bytes)
MD5: c4fff6005b70cccd895082e6c79595b3
Detection count: 84
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\wP6fT.exe

File name: wP6fT.exe
Size: 322.56 KB (322560 bytes)
MD5: 731279e3c09f8e52a849c0a9c1043bb5
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 18, 2017

%APPDATA%\_HELP_HELP_HELP_GLP9_.hta

File name: _HELP_HELP_HELP_GLP9_.hta
Size: 75.86 KB (75864 bytes)
MD5: 5f7533c663ddb4c0ae4dbbaafb50d491
Detection count: 60
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\README.hta

File name: README.hta
Size: 63.05 KB (63059 bytes)
MD5: e189ce9640edc95a1ba19d0d4d85691b
Detection count: 56
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: February 24, 2017

%APPDATA%\_HELP_HELP_HELP_SUXEZY_.hta

File name: _HELP_HELP_HELP_SUXEZY_.hta
Size: 75.9 KB (75904 bytes)
MD5: 5190e890725bf431ba44001e190c70f5
Detection count: 56
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_READ_THI$_FILE_DB3DT9_.hta

File name: _READ_THI$_FILE_DB3DT9_.hta
Size: 77.05 KB (77053 bytes)
MD5: 7476a75b0680d99f5338b886bc7def62
Detection count: 54
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

file.exe

File name: file.exe
Size: 243.74 KB (243748 bytes)
MD5: 212fa73fd6ed39b4720bcfd8d97426d5
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 26, 2017

%APPDATA%\README.hta

File name: README.hta
Size: 63.14 KB (63140 bytes)
MD5: 107ab5eae352dab9defab24d3ba77b4a
Detection count: 42
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: February 24, 2017

%APPDATA%\_HELP_HELP_HELP_2R9I63OS.hta

File name: _HELP_HELP_HELP_2R9I63OS.hta
Size: 75.78 KB (75787 bytes)
MD5: a2daec078c54bb6bc5e96038a1506f2c
Detection count: 34
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_HELP_HELP_HELP_HUUKTW_.hta

File name: _HELP_HELP_HELP_HUUKTW_.hta
Size: 75.86 KB (75864 bytes)
MD5: 0224da72bc3638b351cf509cdfc443c2
Detection count: 30
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_RSHI_.hta

File name: _HELP_HELP_HELP_RSHI_.hta
Size: 75.9 KB (75904 bytes)
MD5: a46e5f2ce8a20bbb8548959debb9ac0c
Detection count: 23
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017

%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_STOV8H1_.hta

File name: _HELP_HELP_HELP_STOV8H1_.hta
Size: 75.86 KB (75864 bytes)
MD5: 1632ca0953d5499bf251455159a80ea0
Detection count: 14
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_HELP_HELP_HELP_ND8FZ.hta

File name: _HELP_HELP_HELP_ND8FZ.hta
Size: 75.78 KB (75787 bytes)
MD5: 041ef4b6a12e0b3165172884301b0d1e
Detection count: 12
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}\cmdkey.exe

File name: cmdkey.exe
Size: 659.58 KB (659585 bytes)
MD5: 27cf39d205567505d840391e4761a7a0
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}
Group: Malware file
Last Updated: October 17, 2018

%APPDATA%\_HELP_HELP_HELP_XFCV_.hta

File name: _HELP_HELP_HELP_XFCV_.hta
Size: 75.9 KB (75904 bytes)
MD5: 01ec9e50d17de043a23997d6562293ad
Detection count: 7
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_HELP_HELP_HELP_3NNARI.hta

File name: _HELP_HELP_HELP_3NNARI.hta
Size: 75.78 KB (75787 bytes)
MD5: 0ef13a9213c456db231825061eec294c
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_HELP_HELP_HELP_L41VV_.hta

File name: _HELP_HELP_HELP_L41VV_.hta
Size: 75.86 KB (75864 bytes)
MD5: c63b4a524713e4c5f3802463cb46dab8
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

%APPDATA%\_READ_THI$_FILE_L81EB65A_.hta

File name: _READ_THI$_FILE_L81EB65A_.hta
Size: 77.01 KB (77010 bytes)
MD5: 2a6828d2ba37bb97efb4773619b80715
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path# DECRYPT MY FILES #.html# DECRYPT MY FILES #.url# DECRYPT MY FILES #.vbs_README_.hta