August 07, 2016
An updated version of the Cerber ransomware family is making the rounds, using a new file extension and rendering previous decryption tools useless.
The new Cerber variant was discovered by Trend Micro researcher panicall, who revealed that the malware now appends the .cerber2 extension to the encrypted files, while also packing some under-the-hood changes.
The original Cerber emerged in early March, packing functionality that other ransomware didn’t have: it would run VBScript code packed inside a .vbs file, causing the infected computer to speak to the victim. The malware would set Windows to boot into Safe Mode with Networking, configured itself to start at login, and to execute itself every minute.
Since March, Cerber was seen in multiple campaigns, and was even associated with DDoS (distributed denial of service) attacks. In June, when Locky distribution was down after the Necurs botnet went offline, Cerber’s activity intensified. It was seen morphing every 15 seconds to avoid detection, targeting Office 365 users, and also distributed in a large international campaign.
The same as with other ransomware families, researchers managed to create a decryption tool for Cerber, but the newly spotted Cerber 2 variant removes the weakness that allowed for that to happen. However, the updated ransomware variant includes other changes as well, meant to hinder detection and analysis.
Cerber 2 uses a packer to hide its malicious code. A major improvement over the predecessor is the use of Windows API CryptGenRandom to generate the key used for encryption. The new variant generates a 32 bytes key, while the previous ones used 16 bytes keys.
The ransomware also packs an anti-virus blacklist in its configuration file, which includes the names of some of the most popular anti-malware solutions out there. It also has a blacklist for a dozen countries, including Russia, and performs a series of checks on the compromised system, including the system language, country, the presence of a virtual machine, and for a series of running processes.
According to BleepingComputer, there are also some visual changes in the ransomware, such as the use of an icon from the children's game Anka. The wallpaper dropped by Cerber 2 was changed to a pixelated background that informs users that their “documents, photos, databases, and other important files have been encrypted.”