Researchers report that the criminal gang behind the vicious Cerber Ransomware has released a new version of their threat, which includes some new features.
First, the ransomware no longer appends the static “.Cerber3” extension at the end of all encrypted files. Instead, it now uses a random 4 character one. Second, this new Cerber version uses a HTA file for its ransom note. And last but not least, the ransomware is now able to terminate various database processes before encrypting any files.
When a victim is infected with this new version and their files encrypted, the ransomware will not only scramble the name of the file but it will also change the extension. For example, a file which has been previously encrypted as “4AgFiBy5no.cerber3”, will now be locked as “7gFTGmukZM.b91c” or something as random as that.
This Cerber variant uses a HTA file as ransom note, which is named “README.hta”. When launched, the ransom note appears in an application Window and show the normal note.
The security researcher BloodDolly also adds that the updated version includes new database processes, which are closed by the “close_process” directive in Cerber’s configuration. This directive commands the ransomware to end certain processes before starting the encryption process. The processes which are being terminated are the following:
The processes are closed so to the processes’ data files can be encrypted. Cerber may not be able to encrypt the corresponding data files if the processes are running during the encryption.
Researchers say that this updated Cerber version is also sending the UDP packets to the 220.127.116.11/23 range for statistical purposes.