The Cerber Ransomware Returns with an Improved Version 2

The Trend Micro security researcher, Panicall, has recently discovered that the Cerber Ransomware has returned with a new better and improved version. Cerber 2 has been differently programmed and victims have notice a few pretty apparent changes in its behavior as well.

The most obvious change is that instead of the former “.Cerber” extension, this new version appends the “.Cerber2” extension at the end of all encrypted files.

Also, this Cerber2 version no longer has the flaw which allowed the Trend Micro’s Cerber Decryptor to possibly recover encrypted data. Furthermore, the installers of the new Cerber2 variant are using an icon from the kids` game Anka as a disguise.

The new background of Cerber2 Ransomware is different as well. Now it looks like a pixelated screen and displays the following message:

Your documents, photos, databases, and other important files have been encrypted! If you understand the importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.”

cerber2 ransom note background
Cerber V2 New Background.
Image credit: Bleepingcomputer.com

And below the crooks have listed a number of temporary addresses for the victims` personal pages.

Cerber2 ransomware has e couple of internal changes as well. The first and most important one, according to Panicall, is that the new version couldn’t be easily detected and analyzed due to a packer it uses.

Moreover, Cerber2 has changed its encryption technique and is currently using the Microsoft API CryptGenRandom for the generation of the decryption key. The key now is 32 bytes not 16 bytes as it used to be and that’s why the Trend’s Cerber Decryptor can`t be used for files encrypted by this version of Cerber.

Panicall has extracted and tested a sample of Cerber2 Ransomware: “When I tested the sample, the current IP range being used by Cerber v2 for statistics over UDP is 31.184.234.0/23.

4 thoughts on “The Cerber Ransomware Returns with an Improved Version 2”

  1. Hello,

    My name is andhika.
    my laptop and my eksternal drive were crypted by .cerber2
    can you give me some solution to restore my data?
    my system restore was not active and shadow explorer was not help at all.
    please I am beging you help me

    1. Hello Andhika,

      Unfortunately, there is no known decrypter for Cerber V2 (.cerber2 files). Please, visit our site on a regular basis to check if a removal guide is available.

      Thanks,
      Daniel

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.