A Look into 4.1.0 CerberIn Cerber 2 and 3, the ransomware extensions of encrypted files were “signed” with .cerber2 and .cerber3. In Cerber 4.1.0, a four-character extension is appended to encrypted files. Fortinet security researchers explain that this extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key. The ransomware still employs the README.hta file, just like in the original version. It contains instructions for the victim on how to pay the ransom. This is where cybercriminals are acknowledging the victim that their files have been encrypted specifically by Cerber Ransomware 4.1.0. As always, the ransomware changes the wallpaper of the compromised system. In previous versions, Cerber extensions corresponded to the number of the version. Now in 4.1.0, there is no fixed file extension, as explained above. Several days ago, on October 26, researchers at MalwareTrafficAnalysis reported that pseudoDarkleech Rig exploit kit was distributing the Cerber ransomware. Other researchers have also observed the pseudoDarkleech campaign spreading Cerber. Interestingly, this exploit kit campaign has previously distributed the CrypMIC rasomware.
What about Cerber 4.1.1?We know that Cerber 4.1.1 is a fact because the ransomware displays the version number the same way as in 4.1.0 – on the victim’s modified wallpaper. Researchers are still investigating. This uptick in Cerber campaigns is a clear indication that this particular ransomware will not stop evolving anytime soon. Its authors are constantly improving its code, implementing new features and updating old ones. Infected users who have fallen victim to either of the updated versions should immediately eliminate the ransomware from their systems and seek alternative methods in regards to file restoration aside from paying the ransom. Indeed, paying the ransom is never a good option. Instead of reaching the dead-end street of having your files shuttered by ransomware, always remember to invest in appropriate security solutions and data backup software. This should be every user’s mantra against encrypting viruses and any malware really. To find out more about ransomware, click here.