Trend Micro researchers have discovered an attack campaign that distributes Cerber 4.0 ransomware, the newest iteration of the malware.
The Cerber 4.0 Ransomware Is the Latest Version of the Popular Malware
The Cerber 4.0 ransomware was identified by Trend Micro in a series of attacks against various targets.
The discovered new version has changed the ransom note to the HTA extension instead of the original HTML version. And now instead of the “.cerber3” extension the victim files are renamed using random strings made with a generator that’s built-in in the ransomware code. According to the sources here are the newest additions to the Cerber code:
- FUD Antivirus feature
- Activity monitoring bypass
- Evades detection of all anti spyware programs
- Always active
- Added new instructions in 13 languages and a new background image
- Synchronization via the domain blockchain
- Adds random extensions to the victim files
- Updated encryption algorithm
- New target file name extensions
- Closes all running databases
- Updated JS Loader
- New TOR Onion domain
One of the campaigns that host the new versions of Cerber is known as PseudoDarkleech which mostly delivers various types of ransomware through hacked sites.
Two other malvertising advertising also spread the Cerber 4.0 ransomware. One of them uses the Magnitude exploit kit which has been used for previous versions of the ransomware.
Another campaign uses a casino-themed counterfeit ad that hosts the new payload as well. We are yet to see how far will the new Cerber code spread. It is very likely to spot other means of infection including spam email campaigns, so computer users should be extremely careful. If all of the new features are integrated in the Cerber 4.0 ransomware, then it would prove to be a really dangerous threat.