News

NOVEMBER 02, 2016

Cerber Ransomware 4.1.0 was released recently that now displays its version number in the ransom note used as the Windows desktop background. In the past the only way to determine the version of the installer Cerber variant was to examine the extension appended to encrypted files.  Now this information is readily available in the ransom note as seen below.

Update 11/1/16: Soon after publishing this article, it was discovered that version 4.1.1 of Cerber was released

wallpaper version
                                                                                     Cerber Version in the Wallpaper

Like the previous version we wrote about in early October, this version continues to use an extension for encrypted files that is based off of the computer's MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key. According to Fortinet:

Fortinet information
While the main ransom note continues to be displayed in a HTA file called Readme.hta, there are some other differences going on in the background. For example, recent Cerber versions switched to a new range of IP address that it will send UDP packets for statistical purposes. This range is 194.165.16.0/22.

udb packets                                                                                    Cerber Statistics UDP Packets

Finally, in this version I have noticed a HTTP request being performed to a Bitcoin block chain explorer at http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1478029284382. This URL will return a JSON document containing transaction information for the 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address.

A small snippet of the returned information is seen below.

snippet info
It is currently unknown what the purpose for this request is.

News Courtesy : http://www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/