In just one day, the developers behind the Cerber Ransomware have made changes that blocked Check Point Software from decrypting Cerber victim's for free.  At the same time, the Cerber devs have added a captcha to their payment system in order to login. This captcha would make it so that services could not automate the exploitation of flaws on their servers.

Unfortunately, this means that visitors to the CerberDecrypt.com site will no longer be greeted with a helpful form allowing them to get their decryption key, but rather a message stating that the service is no longer available.

Message on CerberDecrypt.com
Message greeting visitors to CerberDecrypt.com

When Check Point announced that they were able to decrypt Cerber versions 1 and 2, it was widely assumed that they were able to get their hands on the Master Decryption Key.  It appears that we were wrong and that their method was most likely a vulnerability that was being exploited in the ransomware's Command & Control Server.

I decided to take a look at Cerber's payment site to see if there were any changes or messages from the developer and noticed a new Captcha system. The captcha system is filled with what appears to be hand drawn faces, where you have to select the matching faces. When I tested it, there were three stages that you had to complete before you would be verified.

The Cerber captcha system can be seen below.

Cerber Captcha
Cerber Captcha

With the new captcha being added today, I would hazard a guess that it may have been implemented to prevent Check Point's automated service.  That also makes me wonder if the flaw is still accessible and being prevented by the captcha or is this just an additional security measure. Unfortunately, as Check Point has not disclosed the vulnerability they were using, only they can verify this.