The Trend Micro security researcher, Panicall, has recently discovered that the Cerber Ransomware has returned with a new better and improved version. Cerber 2 has been differently programmed and victims have notice a few pretty apparent changes in its behavior as well.
The most obvious change is that instead of the former “.Cerber” extension, this new version appends the “.Cerber2” extension at the end of all encrypted files.
Also, this Cerber2 version no longer has the flaw which allowed the Trend Micro’s Cerber Decryptor to possibly recover encrypted data. Furthermore, the installers of the new Cerber2 variant are using an icon from the kids` game Anka as a disguise.
The new background of Cerber2 Ransomware is different as well. Now it looks like a pixelated screen and displays the following message:
“Your documents, photos, databases, and other important files have been encrypted! If you understand the importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.”
And below the crooks have listed a number of temporary addresses for the victims` personal pages.
Cerber2 ransomware has e couple of internal changes as well. The first and most important one, according to Panicall, is that the new version couldn’t be easily detected and analyzed due to a packer it uses.
Moreover, Cerber2 has changed its encryption technique and is currently using the Microsoft API CryptGenRandom for the generation of the decryption key. The key now is 32 bytes not 16 bytes as it used to be and that’s why the Trend’s Cerber Decryptor can`t be used for files encrypted by this version of Cerber.
Panicall has extracted and tested a sample of Cerber2 Ransomware: “When I tested the sample, the current IP range being used by Cerber v2 for statistics over UDP is 22.214.171.124/23.”