The latest version of Cerber Ransomware 4.1.0 shows its number in the ransom note used as a Windows desktop background. The only way to determine the version number of Cerber before, was to examine the extension appended to the encrypted files. Presently, this information is available in the ransom note on the desktop.
The new version of Cerber ransomware keeps using an extension for encrypted files which is based off of the computer’s MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key. As Fortinet claims:
“Cerber marks encrypted files with a specific extension. In previous versions (Cerber 2 and 3), encrypted files were marked with .cerber2 and .cerber3, respectively. For this version, encrypted files are marked with a four-character extension. This four-character extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key. For instance, the file extension will be AAAA if the MachineGuid value is xxxxxxxx-xxxx-xxxx-AAAA-xxxxxxxxxxxx.”
Despite the fact that the main ransom note continues to be displayed in a HTA file called Readme.hta, there are some other differences going on in the background. For instance, the most recent versions of Cerber switched to a new range of IP address which it will send UDP packets for statistical purposes. This range is 194.165.16.0/22.
Also, in the latest version of the ransomware there is a HTTP request being performed to a Bitcoin block chain explorer at: http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1478029284382. This URL will return a JSON document containing transaction information for the 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address.
