Cerber 5.0 has been spotted by security researcher Bryan Campbell being distributed via RIG-V exploit kits. These exploit kits allow the ransomware to be installed on a victim's computer without their knowledge when they browse to a compromised web site or possibly through malvertising. I am sure Cerber 5.0 is also being distributed via email campaigns, but at this time I do not have a sample of these emails.

Update 11/24/16 1:14PM EST: Marcelo Rivero has told me that Cerber 5.0.1 has already been spotted. 

Once installed, Cerber 5.0 will encrypt the victim's data and then demand a ransom payment in bitcoins to decrypt the files.

Cerber 5.0 Ransom Note
Cerber 5.0 Ransom Note

According to Cerber security researcher BloodDolly, the main changes in version 5.0 are the following:

  • The ransomware will now skip 640 bytes, compared to 512 bytes in previous versions, when encrypting a file.
  • The minimum file size that Cerber will encrypt a file is now 2,560 bytes, compared to 1,024 bytes in previous versions. This means that any file that is smaller than 2,560 bytes will not be encrypted.

There were also some changes in the IP ranges used to send statistical UDP packets. These ranges are: 63.55.11.0/2715.93.12.0/27194.165.16.0/22.

Cerber UDP Packets
Cerber UDP Packets

Network Communication:

63.55.11.0/27
15.93.12.0/27
194.165.16.0/22

 

Related Articles:

Russia arrests cybercriminal Wazawaka for ties with ransomware gangs

Bologna FC confirms data breach after RansomHub ransomware attack

Helldown ransomware exploits Zyxel VPN flaw to breach networks

Blue Yonder ransomware attack disrupts grocery store supply chain

CISA says BianLian ransomware now focuses only on data theft