A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files.  When I tested this new sample, there was some minor outward differences between this version and the previous version.

The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below.

Encrypted Files
Encrypted Files

Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url.

This version of  Cerber continues to use the range of IP addresses for stats purposes. Strangely, when testing this version I did not see the typical UDP flood for stats purposes. I did see ICMP packets being sent to IP addresses in this range

Update  8/31/16: I updated the article about the stats ranges.

As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article.

Related Articles:

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

Magniber Ransomware Expands From South Korea to Target Other Asian Countries

CoinVault Ransomware Authors Have Their Day in Court in the Netherlands

Cass Regional Medical Center Hit With Unidentified Ransomware