Cerber ransomware emerged with a new feature again – in March of 2017, malware analysts spotted a brand new Cerber variant that doesn’t change the original filename of encrypted file. The virus that makes it to the top malware list now leaves the original file name and only appends a 4-char file extension to encrypted files, making it easier to understand what files were encrypted. In the past, Cerber virus used to change the original filename with a set of random chars, making all records completely unrecognizable. The new variant also uses a different name for the ransom note – though the latest versions used to drop a ransom note called _HELP_HELP_HELP_[victim’s ID]_, the newly discovered strain of Cerber leaves _READ_THIS_FILE_[random chars]_.jpg, _READ_THIS_FILE_[random chars]_.hta and _READ_THIS_FILE_[random chars]_.txt files. The .hta file opens via a web browser, the .txt version launches via Notepad, and the .jpg file becomes desktop’s wallpaper. The .txt and .hta files contain detailed guidelines that are meant to help the victim realize the extent of damage that the virus did to the computer. These ransom notes command the victim to install Tor browser and use it to access a website that suggests buying Cerber Decryptor. The initial price of the decryptor is 1 Bitcoin, and it increases to 2 Bitcoins if the victim doesn’t buy it within five days starting from the moment of becoming a victim of Cerber ransomware attack.
The new ransomware still uses red highlight for the text displayed in the image that it sets as the compromised computer’s desktop wallpaper, so it can be added to Red Cerber group. Just like all previous versions, it plays an audio message that says “Attention. Your documents, photos, databases, and other important files have been encrypted.” Just like in the latest versions, it doesn’t encrypt data associated with computer security programs, which, looking through security vendors’ eyes, seems like an attempt to make fun of them. It appears that cybercriminals are trying to show their power and prove that they can corrupt data on even antivirus-protected PCs. However, we are sure that security vendors will make needed adjustments in protection programs to catch the ransomware before it does anything. However, until then, create data copies because you will definitely need them in case a ransomware manages to sneak into your PC.
Cerber is still distributed via so-called “Blank Slate” malicious spam, but since it enrolled RIG EK and other exploit kits into its distribution scheme, it jumped right into the first position of the most prevalent ransomware list. The latest Cerber variants are scattered in .ZIP files that carry either a .js or Microsoft Word document. The JavaScript file starts acting immediately after its launch, while the Word document asks the victim to enable Macros function. Right after that, the malicious document connects to a server to get a sample of the ransomware and executes it as soon as possible.