Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cerber 5.0 Ransomware Uses New IP Ranges

The cybercriminals behind the notorious Cerber ransomware family have released three new versions of the malware this week, with the most notable change being the addition of new IP ranges in Cerber 5.0.

The cybercriminals behind the notorious Cerber ransomware family have released three new versions of the malware this week, with the most notable change being the addition of new IP ranges in Cerber 5.0.

Initially spotted in early March, Cerber took a different approach to informing users that they have been infected: it included a .vbs file with a VBScript that caused the compromised machine to speak to the victim. Adding the .CERBER extension to encrypted files, the threat was also observed scanning all accessible network shares for files to encrypt.

Used in massive campaigns worldwide, including one targeting Office 365 users, Cerber has seen numerous upgrades since March, with the second major release observed in early August. Available to other cybercriminals via the ransomware-as-a-service model, Cerber was estimated in August to generate $2.3 million in annual revenue.

Cerber 4.0, the latest major variant of the malware, was released about a month and a half ago, roughly one week after the threat was observed killing database processes on the infected machines and just over a month after Cerber 3.0 emerged.

On Thursday, security researchers observed version 5.0 of the ransomware being distributed, less than 24 hours after version 4.1.6 had been released. Several hours later, version 5.0.1 also emerged, showing that the malware’s developers are aggressively updating their software.

While analyzing Ceber 5.0, Check Point security researchers noticed that it uses new IP ranges for the command and control (C&C) communication. One of the IP ranges, however, was observed in version 4.1.6, but the rest of them are brand new, it seems. Just as before, the security researchers explain, the malware broadcasts messages to all IP addresses via UDP.

Other changes in the new variant include the fact that it skips 640 bytes when encrypting a file (compared to 512 bytes before), and that it doesn’t encrypt files smaller than 2,560 bytes (compared to 1,024 bytes before). Moreover, the ransomware now also targets files that feature the .secret extension.

At the moment, the ransomware is being distributed via spam emails and exploit kits, specifically Rig-V exploit kit. As with the previous variants, the malware randomly generates encrypted file extensions using 4 random alphabetic letters.

The malware continues to search for databases and files related to them, and can encrypt various database file types, Check Point says. The malware drops a ransom note on the desktop to inform users on the infection, and also drops an interactive .hta file with information in different languages. The rest of the features are unchanged from the previous releases.

Related: Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Related: TeleCrypt Ransomware’s Encryption Cracked

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.