An updated version of the Cerber ransomware family is making the rounds, using a new file extension and rendering previous decryption tools useless.
The new Cerber variant was discovered by Trend Micro researcher panicall, who revealed that the malware now appends the .cerber2 extension to the encrypted files, while also packing some under-the-hood changes.
The original Cerber emerged in early March, packing functionality that other ransomware didn’t have: it would run VBScript code packed inside a .vbs file, causing the infected computer to speak to the victim. The malware would set Windows to boot into Safe Mode with Networking, configured itself to start at login, and to execute itself every minute.
Since March, Cerber was seen in multiple campaigns, and was even associated with DDoS (distributed denial of service) attacks. In June, when Locky distribution was down after the Necurs botnet went offline, Cerber’s activity intensified. It was seen morphing every 15 seconds to avoid detection, targeting Office 365 users, and also distributed in a large international campaign.
The same as with other ransomware families, researchers managed to create a decryption tool for Cerber, but the newly spotted Cerber 2 variant removes the weakness that allowed for that to happen. However, the updated ransomware variant includes other changes as well, meant to hinder detection and analysis.
Cerber 2 uses a packer to hide its malicious code. A major improvement over the predecessor is the use of Windows API CryptGenRandom to generate the key used for encryption. The new variant generates a 32 bytes key, while the previous ones used 16 bytes keys.
The ransomware also packs an anti-virus blacklist in its configuration file, which includes the names of some of the most popular anti-malware solutions out there. It also has a blacklist for a dozen countries, including Russia, and performs a series of checks on the compromised system, including the system language, country, the presence of a virtual machine, and for a series of running processes.
According to BleepingComputer, there are also some visual changes in the ransomware, such as the use of an icon from the children’s game Anka. The wallpaper dropped by Cerber 2 was changed to a pixelated background that informs users that their “documents, photos, databases, and other important files have been encrypted.”
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
