In just one day, the developers behind the Cerber Ransomware have made changes that blocked Check Point Software from decrypting Cerber victim's for free.  At the same time, the Cerber devs have added a captcha to their payment system in order to login. This captcha would make it so that services could not automate the exploitation of flaws on their servers.

Unfortunately, this means that visitors to the site will no longer be greeted with a helpful form allowing them to get their decryption key, but rather a message stating that the service is no longer available.

Message on
Message greeting visitors to

When Check Point announced that they were able to decrypt Cerber versions 1 and 2, it was widely assumed that they were able to get their hands on the Master Decryption Key.  It appears that we were wrong and that their method was most likely a vulnerability that was being exploited in the ransomware's Command & Control Server.

I decided to take a look at Cerber's payment site to see if there were any changes or messages from the developer and noticed a new Captcha system. The captcha system is filled with what appears to be hand drawn faces, where you have to select the matching faces. When I tested it, there were three stages that you had to complete before you would be verified.

The Cerber captcha system can be seen below.

Cerber Captcha
Cerber Captcha

With the new captcha being added today, I would hazard a guess that it may have been implemented to prevent Check Point's automated service.  That also makes me wonder if the flaw is still accessible and being prevented by the captcha or is this just an additional security measure. Unfortunately, as Check Point has not disclosed the vulnerability they were using, only they can verify this.

Related Articles:

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

New SamSam Variant Requires Special Password Before Infection

DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks

The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware