Advanced Notification of
Ransomware –
RANSOM_HPCERBER.SM6
Security Advisory
AE-Advisory 16-043
Criticality
Advisory Released On
High
24 November 2016
Impact
Encrypts files in the infected machine rendering them inaccessible and also targets
database processes.
Solution
Refer to the “Solution” section below
Summary
As the leading trusted secure cyber coordination center in the region, aeCERT has
researched and found out about a ransomware family called CERBER which is also
known as “RANSOM_HPCERBER.SM6”. Like any other type of ransomware, it
encrypts files within an infected machine and urges the owner of the machine to
purchase the “decryption” software if they want to get their files back. However,
CERBER seems to be different because it is also targeting databases processes as
part of its routines. Further information about CERBER is explained in the “Threat
Details” section below.
Threat Details
The Trojan may be downloaded by other malware/spyware/grayware from remote
sites. Once it downloads itself, it drops the following files into the victim’s machine:


{folders containing encrypted files}\README.hta
%User Temp%\{random file name}.bmp
The Trojan adds the following registry entries:
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{random file name}.bmp
The Trojan terminates the following processes (if found) in the victim’s machine’s
memory:
























msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
mydesktopqos.exe
agntsvc.exeisqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
2
It gathers the following data from the victim’s machine:







MD5_KEY
PARTNER_ID
OS
IS_X64
IS_ADMIN
COUNT_FILES
STOP_REASON
The Trojan is able to encrypt files with most existing file extensions. Once it encrypts
a file, the file is renamed to {10 Random Characters for the file name}.{4 Random
Characters for file extension}. It avoids encrypting the following files: bootsect.bak,
iconcache.db, ntuser.dat, thumbs.db. Once it is done with encrypting the files, it
deletes the executable copy of itself and changes the wallpaper to the following
image:
3
It also displays the following ransom note:
Refer to the “Solution” section below for further information regarding how to avoid
or fix this issue.
Solution
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must
disable System Restore to allow full scanning of their computers.
Step 2
Search and delete the following files:
(There may be some files that are hidden. Please make sure you check the Search
Hidden Files and Folders checkbox in the "More advanced options" option to include
all hidden files and folders in the search result.


{folders containing encrypted files}\README.hta
%User Temp%\{random file name}.bmp
4
• For Windows 2000, Windows XP, and Windows Server 2003:
Right-click Start then click Search
In the File name* input box, type the following:
1. {folders containing encrypted files}\README.hta
2. %User Temp%\{random file name}.bmp
In the Look In drop-down list, select My Computer then press Enter.
Once located, select the file then press SHIFT+DELETE to delete it.
*Note: The file name input box title varies depending on the Windows version (e.g.
Search for files or folders named or All or part of the file name.).
• For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1,
and Windows Server 2012:
Open a Windows Explorer window.
1. For Windows Vista, 7, and Server 2008 users, click Start>Computer.
2. For Windows 8, 8.1, and Server 2012 users, right-click on the lower left
corner of the screen, then click File Explorer.
In the Search Computer/This PC input box, type:
1. {folders containing encrypted files}\README.hta
2. %User Temp%\{random file name}.bmp
Once located, select the file then press SHIFT+DELETE to delete it.
Step 3
Delete this registry value

In HKEY_CURRENT_USER\Control Panel\Desktop
o Wallpaper = "%User Temp%\{random file name}.bmp"
To delete the registry value this ransomware has created:
1. Open Registry Editor. To do this:
5
For Windows 2000, Windows XP, and Windows Server 2003 users, click
Start>Run, type regedit in the text box provided, and then press Enter.
For Windows Vista, Windows 7, and Windows Server 2008 users, click the
Start button, type regedit in the Search input field then press Enter.
For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on
the lower left corner of the screen, click Run, type regedit in the text box
provided, and then press Enter.
2. In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop
3. In the right panel, locate and delete the entry:
Wallpaper = "%User Temp%\{random file name}.bmp"
Close Registry Editor.
Step 4
Scan your computer with your Anti-virus product to delete files detected as
RANSOM_HPCERBET.SM6. If the detected files have already been cleaned, deleted,
or quarantined by your Anti-virus product, no further step is required.
6
Contact Us
aeCERT
P.O. Box
116688
Dubai, United Arab Emirates
Tel
Fax
Email
(+971) 4 230 0003
(+971) 4 230 0100
info[at]aeCERT.ae
For secure communications with aeCERT with regards to sensitive or vulnerability
information please send your correspondences to aeCERT[at]aeCERT.ae
7