Security Experts:

Connect with us

Hi, what are you looking for?



Cerber 4.0 Fuels New Wave of Ransomware Attacks

The latest variant of the notorious Cerber ransomware family is currently featured in several infection campaigns, security researchers warn.

The latest variant of the notorious Cerber ransomware family is currently featured in several infection campaigns, security researchers warn.

Dubbed Cerber 4.0, the malware version emerged in early October and appears to have already become highly popular among cybercriminals for use in malvertising campaigns. What’s more, three of the most used exploit kits (EKs) at the moment, namely RIG, Neutrino, and Magnitude, have all switched to Cerber 4.0 recently.

Released one month after Cerber 3.0, the new malware variant is using a randomly generated file extension – previously, the ransomware was using the .cerber3 extension (.cerber and .cerber2 before that), and has shifted from an HTML ransom note to an HTA one.

Already one of the most prominent ransomware families of 2016 – a highly successful Ransomware-as-a-service (RaaS) – Cerber has received rapid updates that increased its popularity among EKs, Trend Micro security researchers say.

Most recently, Cerber 4.0 was seen being dropped by the RIG toolkit, currently the most active EK, in a malvertising campaign known as PseudoDarkleech. Continuously changing, the campaign was previously seen distributing ransomware such as CrypMIC and CryptXXX, but has switched to Cerber 4.0 last on Oct. 1, researchers say.

Another malvertising campaign now dropping Cerber 4.0 is leveraging the Magnitude exploit kit, which has been long used to deliver Cerber variants. Starting with October 3, Magnitude has been continuously dropping Cerber 4.0 onto target devices in Asia: Taiwan, Korea, Hong Kong, Singapore and China.

Additionally, a campaign that usually employs a casino-themed fake advertisement which previously delivered the Andromeda or Betabot malware switched to Cerber 4.0 on Oct. 4. The campaign, which never before distributed Cerber, was using RIG to drop the new ransomware variant, researchers say. Previously, Betabot was seen dropping Cerber as a secondary payload.

Another interesting campaign focused on distributing Cerber 4.0 starting with October 3 is leveraging the Neutrino exploit kit and targets users in the US, Germany, Spain, Taiwan and Korea. Recently, Neutrino’s operators said they were closing shop, but it appears that they might have merely entered a private mode, where only VIP clients handling larger operations would have access to the toolkit.

Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.