Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cerber 3.0 Ransomware Variant Emerges

A new variant of the popular Cerber ransomware has emerged that is being distributed via the Magnitude and RIG exploit kits

A new variant of the popular Cerber ransomware has emerged that is being distributed via the Magnitude and RIG exploit kits (EKs).

Dubbed Cerber 3.0, researchers discovered the new variant recently as part of a malvertising campaign that has been going on for months. Mostly unchanged from the previous versions, Cerber 3.0 appends a different extension to the encrypted files and drops a new ransom note.

According to TrendMicro, Cerber 3.0 emerged recently as the payload in a malvertising campaign that has been running for months and which affects users all around the world, although it is mainly focused on Taiwan. As part of this campaign, users are served a malicious ad in a pop-up window after they click a video to play, and then they are redirected to the EK landing page.

Magnitude uses a simple redirect script for the job, but RIG opens a background website that displays a screenshot of a legitimate US clothing shopping site in an attempt to make the ad look less suspicious. Recently, RIG was observed testing new infection methods and a different type of URL pattern for command and control (C&C) communications in an attempt to better evade detection.

After successfully infiltrating users’ computers, both Magnitude and RIG would drop Cerber 3.0, TrendMicro researchers say.

Once on the infected machine, Cerber starts encrypting files and appends the .cerber3 extension to them. After completing this operation, the ransomware looks for shadow copies and deletes them as well, to prevent users from restoring their files using this feature.

Just like the initial version of the ransomware, Cerber plays an audio file to inform users that their files have been encrypted. The initial ransom note’s wording is essentially unchanged from the previous versions, and users are even offered a discount, just as before.

What’s worth noting is that the price has dropped from 1.24 Bitcoin to 1 BTC, to reflect “the ever-changing exchange rate of Bitcoins,” researchers say. Should the victim fail to pay the ransom within the first five days, however, the amount doubles.

One other change observed in Cerber 3.0 is a modified ransom note name to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The same as before, however, Cerber continues to use the range of IP addresses for stats purposes, BleepingComputer’s Lawrence Abrams notes. Moreover, unlike previous variants that used UDP for stats purposes, the new variant uses ICMP packets.

Observed in March as the first ransomware family to “speak” to its victims, Ceber accounted for a quarter of ransomware detections in early July. Courtesy of a massive number of active campaigns, Cerber was estimated to generate $2.3 million in annual revenue for its operators.

Recently seen being dropped by Betabot, Cerber has seen numerous changes over the past few months. In June it was found that the great was morphing every 15 seconds, and it has been employing improved key generation since early August.


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.