Cerber Ransomware Updated Again, Adds Random File Extension

2
895

Researchers report that the criminal gang behind the vicious Cerber Ransomware has released a new version of their threat, which includes some new features.

First, the ransomware no longer appends the static “.Cerber3” extension at the end of all encrypted files. Instead, it now uses a random 4 character one. Second, this new Cerber version uses a HTA file for its ransom note. And last but not least, the ransomware is now able to terminate various database processes before encrypting any files.

When a victim is infected with this new version and their files encrypted, the ransomware will not only scramble the name of the file but it will also change the extension. For example, a file which has been previously encrypted as “4AgFiBy5no.cerber3”, will now be locked as “7gFTGmukZM.b91c” or something as random as that.

This Cerber variant uses a HTA file as ransom note, which is named “README.hta”. When launched, the ransom note appears in an application Window and show the normal note.

The security researcher BloodDolly also adds that the updated version includes new database processes, which are closed by the “close_process” directive in Cerber’s configuration. This directive commands the ransomware to end certain processes before starting the encryption process. The processes which are being terminated are the following:

"msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"

The processes are closed so to the processes’ data files can be encrypted. Cerber may not be able to encrypt the corresponding data files if the processes are running during the encryption.

Researchers say that this updated Cerber version is also sending the UDP packets to the 31.184.234.0/23 range for statistical purposes.

SHARE
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.

2 COMMENTS

  1. Hi, i am lost, i finally removed the virus and all the file README.HTA are gone, but unfortunatly i have plenty of crypted files wiht extention .98b8, so i got many files with different name but same extension and date example (7qmVrjvH1c.98b8 with this date of modification 04/10/2016 02:00)

    I need help to recovery my files, someone could help me to find a decrypter???

    many thanks in advance

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.