Cerber ranks in the top 3 for ransomware infections in 2016 with fellow tiers Locky and CryptXXX. The creators of these malicious viruses have earned this recognition through hard work, culminating in frequent updates. As anti-virus developers continue to refute against cyber infections, the ones which prevail owe their success to the care they receive from their proprietors. The weapon of war for both defenders and attackers is updates. AV developers analyze the codes of rogue programs and have their software red flag them. Ransomware creators respond by modifying their programs to avoid detection.
Cerber has received monthly updates three times in a row
We can conclude that there is an established trend for Cerber. New versions of the ransomware have been released at the outset of the past three months. The first major update came out in early August as Cerber v2.0 was introduced. It was followed by Cerber v3.0 in early September. Their successor was spotted earlier this month.
The cyber criminals behind the virus obviously mean business. Their endeavors have become much more ambitious in comparison to their initial work. The first version of Cerber was released in early 2016 and only received minor updates for half a year. Now the program is constantly challenging security workers.
Cerber v4.0 has become a RaaS service
Digging through the darknet, researchers have discovered that the latest version of Cerber has a new application. The clandestine program is offered as a Ransomware-as-a-Service (RaaS). This gives a further source of income for its developers.
Researcher Kafeine reported spotting ads about the virus on October 1. Most of them were found on Russian websites. You can find copies and translations of the advertisements at the end of this article.
What has changed in Cerber through this update?
A lot of effort has been put into Cerber v4.0. The cyber criminals have devised an entirely new ransom note. The file extension the virus adds to the names of the infected files is now generated at random, meaning it differs for every individual victim. The people behind the ransomware have acquired new payment accounts. The note contains different Tor URLs.
A significant advancement of Cerber v4.0 is the new function of stealing information from databases. The rogue program is capable of shutting down database processes. This gives it the ability to access and steal DB input.
Cerber v4.0 is spread by at least three malvertising clients
The research team of Trend Micro has published a report regarding the distribution methods of Cerber v4.0. The publication is bleak. Three malvertising campaigns have been confirmed as the sources for the ransomware.
The first client, responsible for spreading Cerber v4.0, is the Magnitude exploit kit. This software is operated by an unknown private entity. The disclosure about the Magnitude exploit kit is actually old news. Cerber was adopted by these distributors a long time ago. It has since been the only ransomware program they spread.
The second entity which conducts malvertising campaigns for Cerber v4.0 is PseudoDarkleech. These malware distributors have worked with fellow ransomware programs CrypMIC and CryptXXX before moving on to Cerber. To spread the virus, they currently use the RIG exploit kit. They have been cited as using the Neutrino exploit kit in the past.
Speaking of which, Neutrino seems to have gone private. This exploit kit is the third client for Cerber v4.0. Neutrino carries out smaller advertising campaigns, compared to the other two entities.
Trend Micro advise users to make copies of their files, as this is the only sure way to prevent losing important information. Their message for PC owners is the following: “Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.”
Cerber v4.0 ransomware advertisements on the darkweb:
Cerber Ransomware 4.0
FUD на топовых антивирусах (скантайм / рантайм) – FUD at the top antivirus (skantaym / runtime)
Обход всех известных anti-ransomware программ – Bypass all known anti-ransomware programs
Обход мониторинга активности (массовое изменение, обход ханипотов итд.) – Bypass activity monitoring (weight change, bypassing the Honeypot, etc.)
Обновленный морф – Updated morph
Синхронизация доменов через блокчейн (больше не важно забанили домен лендинга или нет) – Synchronization via the domain blokcheyn (no longer important domain Landing banned or not)
Новые типы файлов для шифрования – New types of files to encrypt
Рандомное расширение для шифрованных файлов, обновленный алгоритм шифрования – Randomly extension for encrypted files, the updated encryption algorithm
Закрытие запущенных процессов всех топовых баз данных – Closing all running processes top database
Новые инструкции на 13 языках + новый фон – New instructions in 13 languages + new background
Обновленный JS Loader – Updated JS Loader
Работает 5 крипторов 7 дней в неделю – Works 5 cryptors 7 days a week
Новые onion домены и многое другое – New onion domains and much more.