Security Experts:

Connect with us

Hi, what are you looking for?



New Cerber Ransomware Variant Packs Improved Key Generation

An updated version of the Cerber ransomware family is making the rounds, using a new file extension and rendering previous decryption tools useless.

An updated version of the Cerber ransomware family is making the rounds, using a new file extension and rendering previous decryption tools useless.

The new Cerber variant was discovered by Trend Micro researcher panicall, who revealed that the malware now appends the .cerber2 extension to the encrypted files, while also packing some under-the-hood changes.

The original Cerber emerged in early March, packing functionality that other ransomware didn’t have: it would run VBScript code packed inside a .vbs file, causing the infected computer to speak to the victim. The malware would set Windows to boot into Safe Mode with Networking, configured itself to start at login, and to execute itself every minute.

Since March, Cerber was seen in multiple campaigns, and was even associated with DDoS (distributed denial of service) attacks. In June, when Locky distribution was down after the Necurs botnet went offline, Cerber’s activity intensified. It was seen morphing every 15 seconds to avoid detection, targeting Office 365 users, and also distributed in a large international campaign.

The same as with other ransomware families, researchers managed to create a decryption tool for Cerber, but the newly spotted Cerber 2 variant removes the weakness that allowed for that to happen. However, the updated ransomware variant includes other changes as well, meant to hinder detection and analysis.

Cerber 2 uses a packer to hide its malicious code. A major improvement over the predecessor is the use of Windows API CryptGenRandom to generate the key used for encryption. The new variant generates a 32 bytes key, while the previous ones used 16 bytes keys.

The ransomware also packs an anti-virus blacklist in its configuration file, which includes the names of some of the most popular anti-malware solutions out there. It also has a blacklist for a dozen countries, including Russia, and performs a series of checks on the compromised system, including the system language, country, the presence of a virtual machine, and for a series of running processes.

According to BleepingComputer, there are also some visual changes in the ransomware, such as the use of an icon from the children’s game Anka. The wallpaper dropped by Cerber 2 was changed to a pixelated background that informs users that their “documents, photos, databases, and other important files have been encrypted.”


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...