Late last week, a new version of Cerber Ransomware was released that included some new features. The most notable change is the switch from the static .Cerber3 extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.

With this version, when a victim's files are encrypted, not only will the filename be scrambled, but the extension will be replaced as well.  This means that a file that was previously encrypted as 5NgPiSr5zo.cerber3, would now be encrypted to a name like 1xQHJgozZM.b71c.

This version also includes a new ransom note called README.hta. When launched, the ransom note will appear in an application Window and display the normal ransom note. An example of the README.hta file can be found below.

Readme.hta File
Readme.hta File

According to security researcher BloodDolly, this update also includes the addition of new database processes that are closed by the close_process directive in Cerber's configuration.  This directive tells Cerber to terminate certain processes before encryption begins. The directive and the current list of processes being terminated are:

 "close_process":
 {
  "close_process":1,
  "process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]
 },

These processes are closed in order to enable the processes's data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.

Finally, this version of Cerber Ransomware continues to send UDP packets to the 31.184.234.0/23 range for statistical purposes. 

UDP Packets
UDP Packetsa

 

Related Articles:

The Week in Ransomware - July 20th 2018 - Developer's Vent, Ransomware Attacks, and More

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

Vaccine Available for GandCrab Ransomware v4.1.2

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

Magniber Ransomware Expands From South Korea to Target Other Asian Countries