Since the Cerber Ransomware was first released back in early March of 2016, this ransomware would not only encrypt your files, but would also annoyingly encrypt the file names as well. This made it difficult for users and administrators to determine what files were actually encrypted and restore them from backups.

While many variants of Cerber have been released over time, this "feature" has always remained the same. That is until today, when both Emsisoft researcher Sarah, otherwise known as xXToffeeXx, and SwiftOnSecurity found a new sample of Cerber that leaves the original filename the same and only appends a random extension as shown below.

Cerber Encrypted Files
Cerber Encrypted Files

As you can see from the above picture, this new variant will keep the original filename, but now append a random extension to the filename. According to Sarah, this extension will be the same for all files encrypted on a particular machine, but will be different from machine to machine.

Otherwise, this variant continues to create ransom notes with names like _HELP_HELP_HELP_{RAND}_. Unfortunately, I do not know the IP ranges that Cerber was using previously for UDP statistics, but this variant uses the ranges 87.96.148.0/27, 87.97.148.0/27, 87.98.148.0/22.

Finally, the TOR payment site continues to be the same, with a 1 bitcoin ransom payment, which is approximately $1,180 USD, and then increases to 2 bitcoins after 5 days.

Cerber Payment Site
Cerber Payment Site

Otherwise, Cerber no other major differences detected. If any other changes are discovered, I will update this article to include the new information.