The updated Cerber virus opens a door for data recovery, primarily targets Office documents
Cerber ransomware[1] has been rapidly evolving and attacking computer users in numerous different ways over the last year. We have seen over eight different versions[2] of this virus, however, its latest versions completely differ from the previous ones, and these differences appear to be quite favorable to the victim. The most evident and shocking change in virus’ code allows Volume Shadow Copies stay on the computer system[3], and these can be used to recover at least a small part of corrupted files. What is more, the new Cerber virus is set to encrypt certain files firstly, and according to a few malware samples that we have tested, it seems that the ransomware encodes Bitcoin files and also Microsoft Office documents, and only then it heads over to the rest of target files. Besides, the latest Cerber variants are meant to encrypt the system faster, because it skips some default system folders, including Sample Music, Pictures, Videos, Program Files, and others. Authors of the ransomware have also decided that some of the previously targeted file types are no longer topical and removed them from a target file list. The new ransomware variants no longer encrypt these file types: .bat, .cmd, .msi, .msc, .hta, .dll, .exe, .cpl, .com, .pif, .scf, .sys, .scr. However, it augmented the list of target file types with more than 50 new file extensions, so currently, Cerber 5.0.1 can encrypt up to 500 different file types. It means that the virus hardly leaves any unencrypted records on the system, of course, except those that do not fall into its target list.
Actors behind Cerber ransomware project do not seem to care about the holiday season – most likely they see it as an opportunity to extort more ransoms. Currently, the criminals deceive victims by delivering them fake credit card reports[4] that contain a malicious script and also actively pushing this virus via exploit kits (RIG, Angler, and others) also via malware-laden ads and websites (mostly those that are part of Pseudo Darkleech campaign[5]). Reportedly, Cerber ransomware manages to inject malicious scripts (Nemucod downloader) even into legitimate websites, and these scripts are designed to automatically redirect the user to Cerber gateway, publicly known as Pseudo Darkleech. To put it simply, a combination of these malicious tools help to transfer malware to unsuspecting victim’s computer silently as he/she browses the Internet. The user can be easily infected in case web browsers that he or she uses are old and lack necessary security updates.
Finally, users should also be aware of holiday-themed email spam campaigns. Although such scamming method might seem shallow and vapid, surprisingly, it is very effective. We would like to warn you not to open any e-cards, letters, or other email attachments as well as links provided in the message if you have nothing in common with its sender. Use an anti-malware software for an extra layer of protection against ransomware, and of course, secure your records in advance by creating a backup of them.
- ^ Nick Biasini, Edmund Brumaghin. Cisco Talos Blog: Cerber Spam: Tor All the Things!. Cisco Talos. Industry-leading threat intelligence organization.
- ^ Ugnius Kiguolis. Cerber virus. How to Remove? (Uninstall Guide). 2-Spyware. Fighting against spyware.
- ^ No slowdown in Cerber ransomware activity as 2016 draws to a close. Microsoft TechNet Blogs. The latest information, insights, announcements, and news from Microsoft experts.
- ^ Hyacinth Mascarenhas. Microsoft cautions holiday shoppers about fake credit card emails carrying Cerber ransomware. International Business Times. Business News, Technology, Politics.
- ^ Denis Sinegubko. Website Malware – Evolution of Pseudo Darkleech. Sucuri Blog. Website Security News.