Late last week, a new version of Cerber Ransomware was released that included some new features. The most notable change is the switch from the static .Cerber3 extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.
With this version, when a victim's files are encrypted, not only will the filename be scrambled, but the extension will be replaced as well. This means that a file that was previously encrypted as 5NgPiSr5zo.cerber3, would now be encrypted to a name like 1xQHJgozZM.b71c.
This version also includes a new ransom note called README.hta. When launched, the ransom note will appear in an application Window and display the normal ransom note. An example of the README.hta file can be found below.
According to security researcher BloodDolly, this update also includes the addition of new database processes that are closed by the close_process directive in Cerber's configuration. This directive tells Cerber to terminate certain processes before encryption begins. The directive and the current list of processes being terminated are:
"close_process":
{
"close_process":1,
"process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]
},
These processes are closed in order to enable the processes's data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.
Finally, this version of Cerber Ransomware continues to send UDP packets to the 31.184.234.0/23 range for statistical purposes.
Comments
blackfalseto - 2 years ago
seriously? i have one random extention with name .b8ff
alfaromeo1971 - 2 years ago
I have *.aa43
DRC_VietNam - 2 years ago
i think is the demo for cerber4 in this november
anwarkhn - 2 years ago
Yes my files encrypted with extension .b1a5, Is there any decryption key for this...
DRC_VietNam - 2 years ago
yes recovery is the best way
volpevole - 2 years ago
I really need to recover my files (crypted overnight with the 4 random digits extension)... I am willing to pay the ransom if I am certain that they'll decrypt my files. Has anyone paid the ransom for the latest version and had their files decrypted? Thank you in advance for your quick reply.
Alfian - 2 years ago
my files encrypted with extension .b80e, any one have any decryption key for this? i really hope this problem can be solved...
pepperthegreat - 2 years ago
Hello, two days ago I got all my files encrypted with .beca extensio.
I also have the readme.hta file.
There is any solution to recover ?
thanks in advance.
roberth23carlos - 1 year ago
I have a problem with my files are encrypted with extension ( (.875b) and I wanted to know if they could recover. Thank you
kashifmukhar_321 - 1 year ago
I have facing same issue all of my files extension has been saved with .a60d ( n3yJiVM0Nn.a60d ) and also with .hta is there any solution for this ?
Flaco_fotografo - 1 year ago
Anyone had a way to recover the encrypted files? The extension of my files changed to 0ezTpYX-Vn.b6d3
migero - 1 year ago
for some reason i had 2 encriptions one is globe2 that i taken care of and now i see all jpg's are encoded using *.8ddf ....
ZUK1990 - 1 year ago
same goes to me..
10 random characters following .aea7 extension..
hope someone could find solution soon...
roberth23carlos - 1 year ago
Tengo un problema con mis archivos están encriptados con extensión ((.875b) y quería saber si podían recuperarse. Gracias
Ediors - 1 year ago
I have the same problem. My Documents files are encrypted with the .b85c extension. I searched on internet and the ramsomware is cerber 5.0. That was sad. I have my thesis files there.
SaviorSoshiant - 1 year ago
I have all my dissertation files on here and they are all now infected/encrypted by Cerber 5.0 ending in .B683 (which I am sure is randomly generated for different victims). Is there anything I can do :(((
SaviorSoshiant - 1 year ago
Please message me if you know how to fix this
SULE - 1 year ago
my is ending with .8fb4... I am an african from Ghana and i thought Africans were not among the countries they have targeted.... These are wedding video files i have just started working on..I am left thinking what the newly wedded couples will do when they find out their files are encrypted.. Oh GOD please intervene..
Flaco_fotografo - 1 year ago
<p>Nothing yet appeared, I was in contact with B-Matika of Spain and still have no solution, if anyone knows anything please let me know. In this page they have a desiccator, I do not finish uncrying my photos, try it maybe they are lucky, the program has no virus is safe, I have tried it.</p>
husnikky - 1 year ago
My extension is "0VQkNin2kl.84a0". When there will be a solution???
KDM4379 - 1 year ago
My extension is DX4a2JH2m1.a357 When will you get a solution
ankur__ - 1 year ago
My extension is .9a7f . Please help me out fixing this.
yasirkhan - 1 year ago
Greetings All, My Laptop also got infected with this. Extension is .8f84
If anyone has any solution please let me know. M really worried....... Thanks