New Ransomware Version Releases

Wednesday, September 7, 2016 @ 03:09 PM gHale


A new version of the Cerber ransomware is going out aboard the Magnitude and RIG exploit kits, researchers said.

Cerber 3.0, researchers discovered the new variant as part of a malvertising campaign going on for months. Mostly unchanged from previous versions, Cerber 3.0 appends a different extension to the encrypted files and drops a new ransom note, said researchers at TrendMicro.

RELATED STORIES
Botnet Branches Out into Ransomware
Confidence Low in Ransomware Recovery
Ransomware Masked as Rockwell Update
German Nuke Infected with Malware

Cerber 3.0 emerged recently as the payload in a malvertising campaign that has been running for months and which affects users all around the world, TrendMicro researchers said. The ransomware is mainly focused in Taiwan.

As part of this campaign, users receive a malicious ad in a pop-up window after they click a video, and they end up redirected to the exploit kit’s landing page.

Magnitude uses a simple redirect script for the job, but RIG opens a background website that displays a screenshot of a legitimate U.S. clothing shopping site in an attempt to make the ad look less suspicious.

After infiltrating users’ computers, Magnitude and RIG drop Cerber 3.0, TrendMicro researchers said.

Once on the infected machine, Cerber starts encrypting files and appends the .cerber3 extension to them. After completing this operation, the ransomware looks for shadow copies and deletes them as well, to prevent users from restoring their files using this feature.

Just like the initial version of the ransomware, Cerber plays an audio file to inform users their files have been encrypted. The initial ransom note’s wording is essentially unchanged from the previous versions, and users are even offered a discount, just as before.