Late last week, a new version of Cerber Ransomware was released that included some new features. The most notable change is the switch from the static .Cerber3 extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.

With this version, when a victim's files are encrypted, not only will the filename be scrambled, but the extension will be replaced as well.  This means that a file that was previously encrypted as 5NgPiSr5zo.cerber3, would now be encrypted to a name like 1xQHJgozZM.b71c.

This version also includes a new ransom note called README.hta. When launched, the ransom note will appear in an application Window and display the normal ransom note. An example of the README.hta file can be found below.

Readme.hta File
Readme.hta File

According to security researcher BloodDolly, this update also includes the addition of new database processes that are closed by the close_process directive in Cerber's configuration.  This directive tells Cerber to terminate certain processes before encryption begins. The directive and the current list of processes being terminated are:


These processes are closed in order to enable the processes's data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.

Finally, this version of Cerber Ransomware continues to send UDP packets to the range for statistical purposes. 

UDP Packets
UDP Packetsa


Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message