Sign in to follow this  
Michal Nawrocik

ransomware from 2016, probably a variant of CerberTear

Recommended Posts

A friend of mine asked me to try to decrypt their files which were encrypted with some kind of ransomware.

They say the infection took place in 2016 or at the beginning of 2017. The newest encrypted file is dated 30.08.2016.

Unfortunately, my friend is not very tech-savvy so they deleted the virus itself leaving only the encrypted files and the ransom note.

I'm also not much into ransomware, I'm a programmer.

I ran undelete on the disk I got from my friend and found no recoverable executable files.

Then I used the online identification tool with the following result:

Then I clicked the link to read more on the 1st result found:

As you can see, it says this ransomware, called CerberTear, is a fake Cerber, actually a variation of HiddenTear.

I tried several HiddenTear decryptors I found on the internet, none of them seemed to work and I guess they couldn't, I'll explain this below.

I also tried decryptors for other malware types suggested by id-ransomware, obviously to no avail.

The thing is: I don't see a decryptor for CerberTear specifically, only for HiddenTear and CerberTear is quite different from original HiddenTear actually.

HiddenTear encrypts whole file content and the files I am trying to decrypt got first 127 bytes unencrypted, then n times 8 bytes encrypted, then the remainder unencrypted.

I analyzed the source code of hidden-tear-bruteforcer and I found it tries to decrypt the very beginning of the file, for all supported variants of HiddenTear. This can't work for me as the beginning of the file is not encrypted in my case.


I didn't find the CerberTear malware itself available online in a brief search, maybe I would need to search some more or contact the people who posted links to virustotal (it's not only the tweet above).

I'm kinda familiar with unpacking and deobfuscating so having this malware executable would help my attempts to decrypt the files.

HiddenTear is written in C# which I use for writing code on daily basis.

I got some samples of big encrypted files together with their unencrypted versions.

With some effort, I could also obtain a pair of small files, encrypted + unencrypted. Didn't do this yet as first I'd like to get some more light shed on this exact kind of malware.


In case you cannot provide me with a working decryptor or the malware executable for me to analyze, maybe you know the answers to the questions below.

I've seen that some variants of HiddenTear use a secure method of generating random numbers instead of the one seeded with current time. What about CerberTear? If it uses the secure generator, then I guess case is closed, no more questions, no chance to get the files back.

What is the password length? What characters can the password contain?

What encryption algorithm is used? With what parameters? I guess it's not AES as in original HiddenTear since AES has the block size of 16 bytes and some of the files encrypted with CerberTear have ie. 40 bytes encrypted and that's why I presume the block size is 8 bytes and not 16.

How is the key derived from the password (if it's done for the algorithm used in this case)? In original HiddenTear it was SHA256 but I guess it might not be the case here.

I understand that there may be different variants of CerberTear which makes it more difficult to decrypt the files without knowing the exact variant.

If I succeed to write the decryptor, I will make the source code available to the public (even though not many people could still benefit from a decryptor of such an old ransomware).


Thanks in advance for any help provided.




Share this post

Link to post
Share on other sites

Karsten Hahn is a malware analyst from GData, so they may have a decrypter for it already, however a few years ago GData stopped decrypting ransomware for free unless you are a current customer with a license for their business anti-virus software. I am not certain if their decryption policy has changed since then.

I'll ask and see if anyone on our team knows of an already-existing decryption tool.

Share this post

Link to post
Share on other sites

One of our malware analysts took a look at the copy of CerberTear that was mentioned in the Twitter post you linked to. He said it looks easily decryptable, however the only details he gave me were that the ransomware didn't transmit decryption keys back to whoever made it, so if someone were to pay the ransom they wouldn't get a working decrypter back from the criminals who made/distributed this ransomware (if the criminals responded to the victim at all).

Michael Gillespie will also have access to the copy of the ransomware mentioned in the Twitter post, so he should have no trouble figuring out the encryption method. ;)

  • Thanks 1

Share this post

Link to post
Share on other sites

Thank you very much, I will contact Michael Gillespie.
I have noticed that as well, that the criminals ask to send bitcoin but the bitcoin address is the same for all victims and no contact info is included. So they wouldn't know who paid them and should receive the decryptor anyway.

Share this post

Link to post
Share on other sites
18 hours ago, Michal Nawrocik said:

... So they wouldn't know who paid them and should receive the decryptor anyway.

In this case there probably wouldn't be a decrypter (at least not a working one). Without knowing the private key, they wouldn't be able to send a decrypter capable of decrypting the files.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.