Cerber Ransomware 4.1.0 was released recently that now displays its version number in the ransom note used as the Windows desktop background. In the past the only way to determine the version of the installer Cerber variant was to examine the extension appended to encrypted files.  Now this information is readily available in the ransom note as seen below.

Update 11/1/16: Soon after publishing this article, it was discovered that version 4.1.1 of Cerber was released

Version in the Wallpaper
Cerber Version in the Wallpaper

Like the previous version we wrote about in early October, this version continues to use an extension for encrypted files that is based off of the computer's MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key. According to Fortinet:

Cerber marks encrypted files with a specific extension. In previous versions (Cerber 2 and 3), encrypted files were marked with .cerber2 and .cerber3, respectively.  For this version, encrypted files are marked with a four-character extension.  This four-character extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key.  For instance, the file extension will be AAAA if the MachineGuid value is xxxxxxxx-xxxx-xxxx-AAAA-xxxxxxxxxxxx. 

While the main ransom note continues to be displayed in a HTA file called Readme.hta, there are some other differences going on in the background. For example, recent Cerber versions switched to a new range of IP address that it will send UDP packets for statistical purposes. This range is

Cerber Statistics Range
Cerber Statistics UDP Packets

Finally, in this version I have noticed a HTTP request being performed to a Bitcoin block chain explorer at http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1478029284382. This URL will return a JSON document containing transaction information for the 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address.

A small snippet of the returned information is seen below.


It is currently unknown what the purpose for this request is.

Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More