Gerber Ransomware

The Gerber Ransomware is an encryption ransomware Trojan that was released on December 7, 2018, initially. The Gerber Ransomware gained the attention of PC security researchers because multiple versions of the Gerber Ransomware were released in a very short time. Most of these versions are the same threat virtually, changing a few aspects of its attack, but always taking the victim's files hostage and then demanding a ransom payment from the victim.

The Gerber Ransomware’s Different Versions

The Gerber Ransomware's first version can be identified because it uses the following ransom note to demand payment from the victim:

'Gerber Ransomware 1.0
Sorry, your computer was blocked by the Gerber Ransomware 1.0.
If you wants to restore, follow the steps:
(You can have a mail and file Decrypt.TXT)
1. Send to the mail: 'sobachka_thaabah@india.com' file: Decrypt.TXT
2. Follow the message-instructions
3. Get guarantees
4. Decrypt files
Personal id: [random characters]'

Only a few hours following the release of the first version of the Gerber Ransomware, version 2.0 of this threat was released. Both carry out the same attack, using a strong encryption algorithm to target the user-generated files, such as the files containing the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

Version 2.0 of this threat also sometimes includes a keylogger module that allows the Gerber Ransomware to be used to collect data from the victim. Aversion 3.0 of the Gerber Ransomware was also released. This third version is identical to the first two versions virtually but has additional layers of obfuscation applied to its code, which are designed to make it more difficult for PC security researchers to study and block this threat.

Dealing with Threats Like the Gerber Ransomware

The main purpose of the various variants in the Gerber Ransomware family is to make the victim's files inaccessible, as is the case with most encryption ransomware Trojans of this type. The objective of this is to take the victim's files hostage and then demand that the computer user pays a large ransom in exchange for the decryption key that is needed to restore the compromised data. Therefore, the best protection against threats like these is to have backup copies of your files. If victims have security copies of their data and these are stored securely, then the computer users can protect themselves by removing the compromised files and the Gerber Ransomware threat itself, and then replacing the compromised data with the backup copies. Apart from file backups, PC security researchers, as always, recommend the use of an effective security program to protect your computer.

Update December 7th, 2018 — Gerber 2.0 Ransomware

The release of the Gerber 2.0 Ransomware was reported only hours after the original threat was reported on December 7th, 2018. The Gerber 2.0 Ransomware features bug fixes and, most notably, a keylogger component. The threat payload is reported to travel as a cheat program for Valve's 'Counter-Strike: Global Offensive' game. The threat is likely to be found on questionable file hosting platforms, and the users may be required to enter a password, and disable their AV product to run the program.

The Gerber 2.0 Ransomware is known to run from the Temp directory and access resources within the Windows system folder. Lab tests revealed that the threat accesses 'user32.dll.mui,' 'comctl32.dll.mui,' 'StaticCache.dat,' 'msctf.dll.mui,' and 'SortDefault.nls' to facilitate some of its functions. The cyber-threat employs basic evasion techniques and sets its process to sleep mode several times. Also, the Trojan checks for running debuggers before it is fully loaded. If the Gerber 2.0 Ransomware is not detected on a PC, it proceeds to encode images, audio, video, text, spreadsheets, presentations and databases. The Gerber 2.0 Ransomware may load a keylogger module and record the user's keyboard input. The keylogger may be enabled as a ransom window titled 'GRBR Decryptor' is shown on your screen. The 'GRBR Decryptor' window offers the following text:

'Gerber Ransomware 1.0
Sorry, your computer was blocked by Gerber Ransomware 2.0.
If you wants to restore, follow the steps:
(You can have a mail and file Decrypt.TXT)
1. Send to the mail: 'fidonet_world@filemail.cc' file: Decrypt.TXT
2. Follow the message-instructions
3. Get guarantees
4. Decrypt files
Notice: Your files under strong protection. In our server, placed ton closed TOR (Darknet) network. We can a remove your Unique HashPadding data, canculated, using your key and special random numbers
Warning! Please pay immediately, after 3 days, your UHPD information will be deleted, and our can't decrypt information.
personal id: [random characters]'

The new version includes a panel with a list of the encrypted files, which was not available with the Gerber 1.0 Ransomware. The Gerber 2.0 Ransomware behaves almost identically to the original Trojan, but it is more threatening with the addition of a keylogger component notably. The threat actors behind the Gerber 2.0 Ransomware may be looking to collect information from the compromised systems and sell recorded login credentials to third parties as a side income. PC security researchers advise the users to refrain from accessing their Web accounts before the Gerber 2.0 Ransomware is removed from their machines. You should not enter sensitive information in your browser before the threat is cleaned. Data backups should help you restore your file system to normal. AV products detect the Gerber 2.0 Ransomware as:

Artemis!8BDD6C51BAED
Gen:Heur.Ransom.RTH.1
Malware.Undefined!8.C (CLOUD)
Malware/Gen.Generic.C2883903
TR/RedCap.gldkr
TROJ_GEN.R002C0OLA18
Trojan.Win32.Generic.4!c
W32/Filecoder_Gerber.B!tr
Win32.Trojan.Filecoder.Eert
Win32/Trojan.Ransom.806

Update December 7th, 2018 — Gerber 3.0 Ransomware

The Gerber 3.0 Ransomware is a name that refers to a small update to the Gerber 1.0 Ransomware. Computer security researchers commented on the rushed release of Gerber 3.0 Ransomware and pointed out that it is almost identical to the Gerber 2.0 Ransomware. The most notable changes to the Gerber 3.0 Ransomware include a shift in the distribution campaign, and there are new obfuscation layers applied to the threat payload. The Gerber 3.0 Ransomware is distributed via spam emails and corrupted Microsoft Word documents primarily.

The Gerber 3.0 Ransomware is known to scan the systems for running debugging tools and change the configuration of the Kernel Security Device Driver in Windows to evade detection. The Gerber 3.0 Ransomware enciphers the same range of data as the original Trojan, but there is no keylogger module present, which was the case with the Gerber 2.0 Ransomware. The files that were encrypted by the Gerber 3.0 Ransomware are shown as generic white icons, and PC users are shown a 'GRBR Decryptor' window with poor text encoding. The text provided by Gerber 3.0 Ransomware is unreadable except for a few lines that include the 'gerasiy.kerasinov@yandex.com' email account for contact. It is believed that the message is copied from the Gerber 2.0 Ransomware, but the author failed to use the correct character set before making an encrypted shell for the Trojan. Users that may have fallen victims to the Gerber 3.0 Ransomware attack are encouraged to avoid contact with the Gerber 3.0 Ransomware actors since the 'GRBR Decryptor' may be of poor quality as the main product. Removing the Gerber 3.0 Ransomware should be possible with the help of an up-to-date security instrument.