Oh joy! A new Cerber ransomware version!

Oct 12, 2016 22:25 GMT  ·  By

There's always something happening in "Ransomwareland," and the latest update we have from this area of the cyber-crime underground is related to the highly-efficient and hugely popular Cerber ransomware, which recently received a major update with the release of v4.0.

Right there with Locky and CryptXXX, Cerber is one of today's most active ransomware threats, with constant updates aimed at changing the ransomware's signature and mode of operation in order to allow it to pass undetected by security software as much as possible.

Cerber has received major updates for the past three months

Released at the start of 2016, Cerber has spent a lot of time at v1.0, with small updates here and there, but never something major.

Something changed behind the scenes this summer, in August, after which the ransomware has received major updates at the beginning of each month.

Crooks released Cerber v2.0 at the start of August, then Cerber v3.0 at the start of September, and now they've released Cerber v4.0 which, according to security researcher Kafeine, is sold online as part of a rentable Ransomware-as-a-Service platform.

Cerber v4.0 available online as a RaaS service

The ads, written in Russian and available at the end of this article, provide a series of clues of what's new in Cerber v4.0.

Kafeine says he spotted the ads on October 1, at the same time new Cerber versions started appearing on his radar.

Three days later, other security researchers also noted the launch of this new version, which, among other things, featured a new ransom note, new TOR payment URLs, the usage of a random file extension instead of the previous .CERBER3, and a focus on shutting down database processes so it could steal DB data.

Cerber v4.0 distributed via three major malvertising campaigns

According to Trend Micro, Cerber v4.0 is already infecting users, being distributed via at least three major malvertising campaigns.

The first campaign originates from the Magnitude exploit kit, which is a private exploit kit deployed by one gang. There is no surprise seeing Magnitude push Cerber v4 before everyone else, since the Magnitude gang has been one of Cerber's early adopters, and have been pushing only Cerber and no other ransomware, ever since Cerber first came out.

The second malvertising campaign is tracked as PseudoDarkleech, and before switching to Cerber v4.0, these crooks distributed the CrypMIC and CryptXXX ransomware families for months. This group currently uses the RIG exploit kit, after previously dropping the Neutrino exploit kit.

But Neutrino is not dead and appears to have gone private, just like Magnitude. According to Trend Micro, Neutrino is behind a smaller malvertising campaign who is also pushing Cerber v4.0.

To fend off ransomware infections, Trend Micro has probably one of the best advice we've seen anywhere.

  Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.  

 
Cerber Ransomware 4.0 Cerber Ransomware 4.0 (translated)
– FUD на топовых антивирусах (скантайм / рантайм) – FUD at the top antivirus (skantaym / runtime)
– Обход мониторинга активности (массовое изменение, обход ханипотов итд.) – Bypass activity monitoring (weight change, bypassing the Honeypot, etc.)
– Обход всех известных anti-ransomware программ – Bypass all known anti-ransomware programs
– Работает 5 крипторов 7 дней в неделю – Works 5 cryptors 7 days a week
– Обновленный морф – Updated morph
– Новые инструкции на 13 языках + новый фон – New instructions in 13 languages + new background
– Синхронизация доменов через блокчейн (больше не важно забанили домен лендинга или нет) – Synchronization via the domain blokcheyn (no longer important domain Landing banned or not)
– Рандомное расширение для шифрованных файлов, обновленный алгоритм шифрования – Randomly extension for encrypted files, the updated encryption algorithm
– Новые типы файлов для шифрования – New types of files to encrypt
– Закрытие запущенных процессов всех топовых баз данных – Closing all running processes top database
– Обновленный JS Loader – Updated JS Loader
– Новые onion домены и многое другое. – New onion domains and much more.