Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cerber 3.0 Ransomware Variant Emerges

A new variant of the popular Cerber ransomware has emerged that is being distributed via the Magnitude and RIG exploit kits

A new variant of the popular Cerber ransomware has emerged that is being distributed via the Magnitude and RIG exploit kits (EKs).

Dubbed Cerber 3.0, researchers discovered the new variant recently as part of a malvertising campaign that has been going on for months. Mostly unchanged from the previous versions, Cerber 3.0 appends a different extension to the encrypted files and drops a new ransom note.

According to TrendMicro, Cerber 3.0 emerged recently as the payload in a malvertising campaign that has been running for months and which affects users all around the world, although it is mainly focused on Taiwan. As part of this campaign, users are served a malicious ad in a pop-up window after they click a video to play, and then they are redirected to the EK landing page.

Magnitude uses a simple redirect script for the job, but RIG opens a background website that displays a screenshot of a legitimate US clothing shopping site in an attempt to make the ad look less suspicious. Recently, RIG was observed testing new infection methods and a different type of URL pattern for command and control (C&C) communications in an attempt to better evade detection.

After successfully infiltrating users’ computers, both Magnitude and RIG would drop Cerber 3.0, TrendMicro researchers say.

Once on the infected machine, Cerber starts encrypting files and appends the .cerber3 extension to them. After completing this operation, the ransomware looks for shadow copies and deletes them as well, to prevent users from restoring their files using this feature.

Just like the initial version of the ransomware, Cerber plays an audio file to inform users that their files have been encrypted. The initial ransom note’s wording is essentially unchanged from the previous versions, and users are even offered a discount, just as before.

What’s worth noting is that the price has dropped from 1.24 Bitcoin to 1 BTC, to reflect “the ever-changing exchange rate of Bitcoins,” researchers say. Should the victim fail to pay the ransom within the first five days, however, the amount doubles.

One other change observed in Cerber 3.0 is a modified ransom note name to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The same as before, however, Cerber continues to use the range of IP addresses for stats purposes, BleepingComputer’s Lawrence Abrams notes. Moreover, unlike previous variants that used UDP for stats purposes, the new variant uses ICMP packets.

Observed in March as the first ransomware family to “speak” to its victims, Ceber accounted for a quarter of ransomware detections in early July. Courtesy of a massive number of active campaigns, Cerber was estimated to generate $2.3 million in annual revenue for its operators.

Recently seen being dropped by Betabot, Cerber has seen numerous changes over the past few months. In June it was found that the great was morphing every 15 seconds, and it has been employing improved key generation since early August.


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.