The updated Cerber virus opens a door for data recovery, primarily targets Office documents

Cerber ransomware[1] has been rapidly evolving and attacking computer users in numerous different ways over the last year. We have seen over eight different versions[2] of this virus, however, its latest versions completely differ from the previous ones, and these differences appear to be quite favorable to the victim. The most evident and shocking change in virus’ code allows Volume Shadow Copies stay on the computer system[3], and these can be used to recover at least a small part of corrupted files. What is more, the new Cerber virus is set to encrypt certain files firstly, and according to a few malware samples that we have tested, it seems that the ransomware encodes Bitcoin files and also Microsoft Office documents, and only then it heads over to the rest of target files. Besides, the latest Cerber variants are meant to encrypt the system faster, because it skips some default system folders, including Sample Music, Pictures, Videos, Program Files, and others. Authors of the ransomware have also decided that some of the previously targeted file types are no longer topical and removed them from a target file list. The new ransomware variants no longer encrypt these file types: .bat, .cmd, .msi, .msc, .hta, .dll, .exe, .cpl, .com, .pif, .scf, .sys, .scr. However, it augmented the list of target file types with more than 50 new file extensions, so currently, Cerber 5.0.1 can encrypt up to 500 different file types. It means that the virus hardly leaves any unencrypted records on the system, of course, except those that do not fall into its target list.

New Cerber virus spreads rapidly

Actors behind Cerber ransomware project do not seem to care about the holiday season – most likely they see it as an opportunity to extort more ransoms. Currently, the criminals deceive victims by delivering them fake credit card reports[4] that contain a malicious script and also actively pushing this virus via exploit kits (RIG, Angler, and others) also via malware-laden ads and websites (mostly those that are part of Pseudo Darkleech campaign[5]). Reportedly, Cerber ransomware manages to inject malicious scripts (Nemucod downloader) even into legitimate websites, and these scripts are designed to automatically redirect the user to Cerber gateway, publicly known as Pseudo Darkleech. To put it simply, a combination of these malicious tools help to transfer malware to unsuspecting victim’s computer silently as he/she browses the Internet. The user can be easily infected in case web browsers that he or she uses are old and lack necessary security updates.

Finally, users should also be aware of holiday-themed email spam campaigns. Although such scamming method might seem shallow and vapid, surprisingly, it is very effective. We would like to warn you not to open any e-cards, letters, or other email attachments as well as links provided in the message if you have nothing in common with its sender. Use an anti-malware software for an extra layer of protection against ransomware, and of course, secure your records in advance by creating a backup of them.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions