Since the Cerber Ransomware was first released back in early March of 2016, this ransomware would not only encrypt your files, but would also annoyingly encrypt the file names as well. This made it difficult for users and administrators to determine what files were actually encrypted and restore them from backups.

While many variants of Cerber have been released over time, this "feature" has always remained the same. That is until today, when both Emsisoft researcher Sarah, otherwise known as xXToffeeXx, and SwiftOnSecurity found a new sample of Cerber that leaves the original filename the same and only appends a random extension as shown below.

Cerber Encrypted Files
Cerber Encrypted Files

As you can see from the above picture, this new variant will keep the original filename, but now append a random extension to the filename. According to Sarah, this extension will be the same for all files encrypted on a particular machine, but will be different from machine to machine.

Otherwise, this variant continues to create ransom notes with names like _HELP_HELP_HELP_{RAND}_. Unfortunately, I do not know the IP ranges that Cerber was using previously for UDP statistics, but this variant uses the ranges,,

Finally, the TOR payment site continues to be the same, with a 1 bitcoin ransom payment, which is approximately $1,180 USD, and then increases to 2 bitcoins after 5 days.

Cerber Payment Site
Cerber Payment Site

Otherwise, Cerber no other major differences detected. If any other changes are discovered, I will update this article to include the new information.

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens