CerberRansomware - A Dangerous Malware That Can Cause Massive Damage

The purpose of this post is to inform you about what went wrong when I downloaded a torrent, and how being careless nearly made me lose 7 years worth of work. The moral of the story here is, when engaging software piracy, never let your guard down, never believe that anything you download from the internet is safe, and most of all, do not install pirated software on a computer that you care about, and that especially includes your work or school computer. You don’t want to be in a situation where you have to explain to your company’s IT department how you managed to get your laptop infected with a virus commonly distributed through torrents.

I typically don’t pirate software these days. I have done so in the past, but now I do research on the software that I want, and if I can find it at a reasonable price, I would buy it, and if not, I just don’t bother with it, because I own most of the software I need, and there are tons of freeware available, that I can’t really justify the trouble to pirate something. 

On a fateful Friday morning, while I was having my coffee, and working on my spreadsheet, I felt like trying the latest version of MS Office. I realized there is a web version of MS office available. So I uploaded a copy of one of my most important spreadsheets online to my Microsoft OneDrive account, and opened it within the browser. While this version of Excel isn’t terrible, it isn't enough advanced enough for what I am trying to do. I concluded that it won't serve my purpose and decided to download Microsoft Office 2016, and give it a run. This one decision could have been very expensive.

The PirateBay Computer


I never install any pirated software on my main computer. I only ever use it for games and video editing. All the other work is done on a dedicated work VM. I use a throwaway Windows XP VM and an old Lenovo laptop to download and try software. If the laptop were to get infected with a virus, it wouldn’t really matter - or so I thought.

I decided to look up the pirated version of Microsoft Office 2016 and I found a link to a torrent on PirateBay (or some proxy) and downloaded the most popular torrent.

The torrent that contained the ransomware

I found it odd that there were no comments for that particular torrent, but I didn’t care, I went ahead and downloaded the torrent anyway. It took me about 30 minutes to download the 2.26GB torrent. The torrent included the ISO for Microsoft Office 2016, and an activator. 


I installed Microsoft office and after the installation was done, I ran the activator. I didn’t really keep an eye on what it was doing, I just hit next, and went to get ready for work. When I got back to the computer, The activator created some files on the desktop. I didn’t stop to look at what those files were. I launched MS Excel, and there was a activation prompt, and I canceled it, and Excel seemed to work, and it looked like that was all there it to it.

At this point, I had to leave to work. I decided I will check back on this at some point during the day, and off I went. 

Scammed!


After the usual status meetings and what not, I went back to my desk, and I decided to remote into the laptop using Team Viewer. 

I noticed that MS Office created a bunch of shortcuts on the taskbar, and I clicked on the Excel shortcut. It started up fine, but I need to see if it will fit my needs. So I opened my Dropbox folder on the laptop to access the most important spreadsheet. It was at this point I noticed that all the files in my Dropbox folder were missing, and in their place were a bunch of files whose extensions I did not recognize. I was puzzled, so I opened Dropbox on my work machine, and looked at the folder and it also has a bunch of files in it that I did not recognize, and my important spreadsheet was missing. 

It then dawned on me that something went wrong, and perhaps the torrent had something to do with it. I noticed that there is a text file named # DECRYPT MY FILES #.txt. I opened this and this was when I realized the mistake I made. 

Read the contents here - http://pastebin.com/V5AzXFfJ

My laptop got infected with ransomware and it encrypted a lot of files on my machine, that included files in Dropbox, and because my work computer also has Dropbox installed and it was linked to the same account, it got those changes as well. 

All Dropbox files are now encrypted

Contents of the torrent folder are also encrypted

It felt like I got punched in the stomach. The spreadsheet I was working on for 7 years was encrypted, and I had no clue on how to get it back. I certainly wasn’t going to pay the money they wanted. I had no idea what choices I had. I searched online and I found nothing helpful. Dropbox did not keep previous versions of the files, as some of the articles suggested, so I was out of luck. 

To say that I was sad wouldn’t even begin to describe my situation. Purchasing a copy of  Microsoft Office for $149 seemed worth it compared to the situation I was in. I couldn’t believe I let this happen.  

This had ruined my morning so far. I couldn’t focus on work because my 7 years worth of data I collected is now gone. I had backups of it, but stupidly enough, the backups were also in Dropbox. The careless mistakes I made over the years finally caught up to me. 

I knew I had a backup of the file on my external hard drive, but it was months old. I make changes to the file every couple of days or so with the latest real world data, and I did not keep an offline backup. I realized what a horrible mistake that was. 


Hibernate Mode Saved The Day


It was at this point I realized that my gaming computer also has Dropbox installed, but it was in Hibernate mode when the ransomware was running amok on my laptop. Therefore if I could boot up the machine without it connecting to the internet, I would still have all my files intact! 

When I went home, I unplugged the Ethernet, and booted the computer. I was relieved to know that all my files are intact, especially the spreadsheet. I took a backup of all the files in Dropbox. I then shut down the Dropbox process, and went online. 

I logged into my Dropbox account, and deleted all the files - they were all garbage now anyway. I then started Dropbox again. It did a sync with the server and deleted all my files from the computer. After it got done deleting the files, I put them back in the Dropbox folder from the backup, and I was done! 

The scammer managed to almost ruin my day and 7 years worth of work. I just got plain lucky. There is no other way to look at this. I was careless in the way I went about pirating, and I did not put thought into how I managed backups.  A lesson learned. 

Operating Rules for PirateBay Machine


I decided to come up with some rules on how to operate a PirateBay machine

  • It should in no way be connected to the main computer. No sharing of home groups or folders. 
  • Never access any work related websites or have work email setup on this machine
  • Do not install dropbox, SVN, team viewer or any sync service that connects this computer to any other computer that you care about. 
  • Do not use any form of browser sync feature
  • Do not log into any important accounts (email, bank account (!), credit card account, youtube account…)
  • When transferring files (be it pirated software, music etc.), run them through an antivirus scan and then transfer them to a flash drive, and run it through another  virus scan on the destination machine. 
  • Always keep the antivirus on piratebay machine upto date. Disable it when needed and reenable it. 
  • Do not remotely access this machine. Always access it physically. 
  • When transferring files to the pirate machine, after the transfer is done, format the flash drive. 

Rules for data backup


This take a little bit of money to maintain but if you value your data, it's worth it. 
  • Drive 1 will be connected to the computer that stores all the data
  • Drive 2 will be used to backup all the data from drive 1 and after the backup is done, it will be disconnected. It is strictly for backup only. 

One Free Decrypt 


After I cleaned up the mess created by the ransomware, I decided to do some research about this. Turns out, this particular ransomware is particularly bad, and there are articles explaining the ransomware's behavior in detail. One of the article claims that the encryption can bypassed, but I am not so sure that that will work. I haven't tried this. 


I did try the decrypt option they have on their website, and surprisingly it worked. 

The ransomware website allows the victim to decrypt one file
The one free decrypt actually works

Conclusion


This ransomware could have done a lot of damage. I got lucky, and it taught me a valuable lesson. There will be those that won't be so fortunate. I feel for them. 

Just imagine a school student who got careless and now all their homework files are encrypted and they don't have a backup, and a deadline is approaching, or a employee whose work computer got infected. They could potentially lose their employment. This is a heavy price to pay for being careless. 

I hope this article prevents a potential disaster. If you found this page because your computer is infected, I can only wish you good luck. 

No comments:

Post a Comment