A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files.  When I tested this new sample, there was some minor outward differences between this version and the previous version.

The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below.

Encrypted Files
Encrypted Files

Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url.

This version of  Cerber continues to use the 31.184.234.0/23 range of IP addresses for stats purposes. Strangely, when testing this version I did not see the typical UDP flood for stats purposes. I did see ICMP packets being sent to IP addresses in this range

Update  8/31/16: I updated the article about the stats ranges.

As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article.

Related Articles:

Minecraft & CS:GO Ransomware Strive For Media Attention

XiaoBa Ransomware Retooled as Coinminer But Manages to Ruin Your Files Anyway

Microsoft Engineer Charged in Reveton Ransomware Case

The Week in Ransomware - April 13th 2018 - PUBG Ransomware, Matrix, and More

Ransomware Protection Section Included in Windows 10's Spring Creators Update