Cerber Ransomware 4.1.0 was released recently that now displays its version number in the ransom note used as the Windows desktop background. In the past the only way to determine the version of the installer Cerber variant was to examine the extension appended to encrypted files.  Now this information is readily available in the ransom note as seen below.

Update 11/1/16: Soon after publishing this article, it was discovered that version 4.1.1 of Cerber was released

Version in the Wallpaper
Cerber Version in the Wallpaper

Like the previous version we wrote about in early October, this version continues to use an extension for encrypted files that is based off of the computer's MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key. According to Fortinet:

Cerber marks encrypted files with a specific extension. In previous versions (Cerber 2 and 3), encrypted files were marked with .cerber2 and .cerber3, respectively.  For this version, encrypted files are marked with a four-character extension.  This four-character extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key.  For instance, the file extension will be AAAA if the MachineGuid value is xxxxxxxx-xxxx-xxxx-AAAA-xxxxxxxxxxxx. 

While the main ransom note continues to be displayed in a HTA file called Readme.hta, there are some other differences going on in the background. For example, recent Cerber versions switched to a new range of IP address that it will send UDP packets for statistical purposes. This range is

Cerber Statistics Range
Cerber Statistics UDP Packets

Finally, in this version I have noticed a HTTP request being performed to a Bitcoin block chain explorer at http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1478029284382. This URL will return a JSON document containing transaction information for the 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address.

A small snippet of the returned information is seen below.


It is currently unknown what the purpose for this request is.

Related Articles:

Magniber Ransomware Expands From South Korea to Target Other Asian Countries

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

CoinVault Ransomware Authors Have Their Day in Court in the Netherlands

Cass Regional Medical Center Hit With Unidentified Ransomware

The Week in Ransomware - July 6th 2018 - Nozelesn & GandCrab V4