NOVEMBER 02, 2016
Cerber Ransomware 4.1.0 was released recently that now displays its version number in the ransom note used as the Windows desktop background. In the past the only way to determine the version of the installer Cerber variant was to examine the extension appended to encrypted files. Now this information is readily available in the ransom note as seen below.
Update 11/1/16: Soon after publishing this article, it was discovered that version 4.1.1 of Cerber was released
Cerber Version in the Wallpaper
Like the previous version we wrote about in early October, this version continues to use an extension for encrypted files that is based off of the computer's MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key. According to Fortinet:
While the main ransom note continues to be displayed in a HTA file called Readme.hta, there are some other differences going on in the background. For example, recent Cerber versions switched to a new range of IP address that it will send UDP packets for statistical purposes. This range is 126.96.36.199/22.
Cerber Statistics UDP Packets
Finally, in this version I have noticed a HTTP request being performed to a Bitcoin block chain explorer at http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1478029284382. This URL will return a JSON document containing transaction information for the 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address.
A small snippet of the returned information is seen below.
It is currently unknown what the purpose for this request is.
News Courtesy : http://www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/