Skip to content ↓ | Skip to navigation ↓

For the ancient Greeks, Cerberus was a multi-headed dog guarding the gates of the underworld. Its duty was to not let any dead soul exit the kingdom of the dead.

Perhaps it’s not a coincidence that cybercriminals chose this dreadful creature as the foundation of the ransomware monster known as Cerber. Nobody wants to see Cerber ransomware encrypt their personal data but infections happen more often than we want.

Unfortunately, Cerber is now leveraging two updates – outlined by researchers as 4.1.0 and 4.1.1 – to continue to prey on unsuspecting users.

Hold on, when did Cerber 4 exactly happen?

The fourth version of the crypto-menace was never officially called “Cerber 4,” meaning that its authors never really acknowledged it like that. Security researchers dubbed the updated ransomware its fourth edition, as this is the easiest way to separate versions. Things get even more complicated, as other researchers have counted that the fourth version is actually the fifth one. Nonetheless, the latest update of Cerber is now officially called Cerber 4.1.0, and the version number is visible on the modified wallpaper of a compromised system. No doubt here.

A Look into 4.1.0 Cerber

In Cerber 2 and 3, the ransomware extensions of encrypted files were “signed” with .cerber2 and .cerber3. In Cerber 4.1.0, a four-character extension is appended to encrypted files. Fortinet security researchers explain that this extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key.

The ransomware still employs the README.hta file, just like in the original version. It contains instructions for the victim on how to pay the ransom. This is where cybercriminals are acknowledging the victim that their files have been encrypted specifically by Cerber Ransomware 4.1.0.

As always, the ransomware changes the wallpaper of the compromised system. In previous versions, Cerber extensions corresponded to the number of the version. Now in 4.1.0, there is no fixed file extension, as explained above.

Several days ago, on October 26, researchers at MalwareTrafficAnalysis reported that pseudoDarkleech Rig exploit kit was distributing the Cerber ransomware.

Other researchers have also observed the pseudoDarkleech campaign spreading Cerber. Interestingly, this exploit kit campaign has previously distributed the CrypMIC rasomware.

What about Cerber 4.1.1?

We know that Cerber 4.1.1 is a fact because the ransomware displays the version number the same way as in 4.1.0 – on the victim’s modified wallpaper. Researchers are still investigating.

This uptick in Cerber campaigns is a clear indication that this particular ransomware will not stop evolving anytime soon. Its authors are constantly improving its code, implementing new features and updating old ones.

Infected users who have fallen victim to either of the updated versions should immediately eliminate the ransomware from their systems and seek alternative methods in regards to file restoration aside from paying the ransom.

Indeed, paying the ransom is never a good option. Instead of reaching the dead-end street of having your files shuttered by ransomware, always remember to invest in appropriate security solutions and data backup software. This should be every user’s mantra against encrypting viruses and any malware really.

To find out more about ransomware, click here.


Milena DimitrovaAbout the Author: Milena Dimitrova is an inspired writer for who enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malicious software, she strongly believes that passwords should be changed more often than opinions. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.