A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files.  When I tested this new sample, there was some minor outward differences between this version and the previous version.

The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below.

Encrypted Files
Encrypted Files

Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url.

This version of  Cerber continues to use the range of IP addresses for stats purposes. Strangely, when testing this version I did not see the typical UDP flood for stats purposes. I did see ICMP packets being sent to IP addresses in this range

Update  8/31/16: I updated the article about the stats ranges.

As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article.

Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords