A new variant of the popular Cerber ransomware has emerged that is being distributed via the Magnitude and RIG exploit kits (EKs).
Dubbed Cerber 3.0, researchers discovered the new variant recently as part of a malvertising campaign that has been going on for months. Mostly unchanged from the previous versions, Cerber 3.0 appends a different extension to the encrypted files and drops a new ransom note.
According to TrendMicro, Cerber 3.0 emerged recently as the payload in a malvertising campaign that has been running for months and which affects users all around the world, although it is mainly focused on Taiwan. As part of this campaign, users are served a malicious ad in a pop-up window after they click a video to play, and then they are redirected to the EK landing page.
Magnitude uses a simple redirect script for the job, but RIG opens a background website that displays a screenshot of a legitimate US clothing shopping site in an attempt to make the ad look less suspicious. Recently, RIG was observed testing new infection methods and a different type of URL pattern for command and control (C&C) communications in an attempt to better evade detection.
After successfully infiltrating users’ computers, both Magnitude and RIG would drop Cerber 3.0, TrendMicro researchers say.
Once on the infected machine, Cerber starts encrypting files and appends the .cerber3 extension to them. After completing this operation, the ransomware looks for shadow copies and deletes them as well, to prevent users from restoring their files using this feature.
Just like the initial version of the ransomware, Cerber plays an audio file to inform users that their files have been encrypted. The initial ransom note’s wording is essentially unchanged from the previous versions, and users are even offered a discount, just as before.
What’s worth noting is that the price has dropped from 1.24 Bitcoin to 1 BTC, to reflect “the ever-changing exchange rate of Bitcoins,” researchers say. Should the victim fail to pay the ransom within the first five days, however, the amount doubles.
One other change observed in Cerber 3.0 is a modified ransom note name to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The same as before, however, Cerber continues to use the 220.127.116.11/23 range of IP addresses for stats purposes, BleepingComputer’s Lawrence Abrams notes. Moreover, unlike previous variants that used UDP for stats purposes, the new variant uses ICMP packets.
Observed in March as the first ransomware family to “speak” to its victims, Ceber accounted for a quarter of ransomware detections in early July. Courtesy of a massive number of active campaigns, Cerber was estimated to generate $2.3 million in annual revenue for its operators.
Recently seen being dropped by Betabot, Cerber has seen numerous changes over the past few months. In June it was found that the great was morphing every 15 seconds, and it has been employing improved key generation since early August.