14 DAY TRIAL // A new version of the Cerber ransomware was released last week, and it is easy to identify based on the .cerber3 extension that it adds to all encrypted files.
The move comes after crooks released version v1.5 and v2 in quick succession at the start of August. Before releasing Cerber v2, the crooks distributed v1 for more than six months, with very small updates, once in a while.
The Cerber gang was forced to issue v2 in order to break a free decrypter provided by the infosec community that was hindering their profits by letting users recover files for free.
Cerber v3 came out most likely to defeat the decrypter for v2
Cerber v2 didn't have a long life as decryptable ransomware because, in mid-August, security researchers from Check Point and IntSights released an in-depth analysis of the entire Cerber infrastructure, which also included a free decrypter capable of unlocking the Cerber v2 version.
Now the Cerber dev team has put out a new version, v3, in an attempt to break the Check Point decryption tool.
According to Jakub Kroustek, AVG researcher, v3 has managed to break the decrypter. For how long it will stay this way, we'll have to wait and see.
Cerber v3 spreads via malvertising
According to Trend Micro researchers, who analyzed Cerber v3, this new version infects users via malvertising, using the RIG and Magnitude exploit kits.
Cerber v3 also features the ransomware's trademark, a TTS (text-to-speech) function that reads out the ransom note out loud. This feature was missing from the last two versions but was a trademark in v1 and made Cerber unique and easy to remember.
Below is a video from Serbian security researcher GrujaRS showing a Cerber v3 infection taking root and locking down a regular PC.
