14 DAY TRIAL // Cerber, the most active ransomware in the past month, has received a major update in the last weeks, breaking a previous decryption tool that allowed users to recover their files for free, without paying the ransom.
Cerber, which appeared at the start of 2016, is a piece of ransomware that was easy to remember because it included a feature that read the ransom message out loud in several languages.
As time went by, this quirky ransomware became one of the most common threats seen today, mainly because researchers didn't manage to crack it, and crooks started to trust it more.
Cerber v2 breaks Trend Micro's free decrypter
This eventually happened a few weeks back, when researchers from Trend Micro created an all-purpose ransomware decrypter that could recover encrypted files locked with a few ransomware families, including Cerber.
Since then, it appears that the crook behind Cerber continued to work on their tool, updating it to fix the encryption routine and break the decryptor.
According to Trend Micro researcher PanicAll, there have been two new major Cerber versions, v1.5 and v2.
Cerber received two major upgrades
The first changed the encryption routine while the actual v2 changed the extension added at the end of each encrypted file, now becoming .cerber2, instead of the previous .cerber.
Technically, Cerber v2 uses the CryptGenRandom Microsoft API to generate encryption keys, which are now 32 bytes long, instead of 16 bytes.
The configuration of Cerber v2 prevents the ransomware from starting on PCs running security software like ArcaBit, ArcaVir, Avast, Bitdefender, BullGuard, CA, Emsisoft, ESET, eTrust, F-Secure, Kaspersky, LavaSoft, and TrustPort.
Additionally, the ransomware will not start if it detects OS languages for the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.
V2 currently targets 456 file types for the encryption routine, which is by far one of the most broad-reaching ransomware variants. Cerber also updated its ransom screen, which now looks like this.
UPDATE: A decrypter for unlocking files encrypted by Cerber v2 is now available.
