The cyber criminals behind the notorious Cerber ransomware family have released three new versions of the malware this week, with the most notable change being the addition of new IP ranges in Cerber 5.0.
Initially spotted in early March, Cerber took a different approach to informing users that they have been infected: it included a .vbs file with a VBScript that caused the compromised machine to speak to the victim. Adding the .CERBER extension to encrypted files, the threat was also observed scanning all accessible network shares for files to encrypt.
Used in massive campaigns worldwide, including one targeting Office 365 users, Cerber has seen numerous upgrades since March, with the second major release observed in early August. Available to other cybercriminals via the ransomware-as-a-service model, Cerber was estimated in August to generate $2.3 million in annual revenue.
Cerber 4.0, the latest major variant of the malware, was released about a month and a half ago, roughly one week after the threat was observed killing database processes on the infected machines and just over a month after Cerber 3.0 emerged.
On Thursday, security researchers observed version 5.0 of the ransomware being distributed, less than 24 hours after version 4.1.6 had been released. Several hours later, version 5.0.1 also emerged, showing that the malware’s developers are aggressively updating their software.
While analyzing Ceber 5.0, Check Point security researchers noticed that it uses new IP ranges for the command and control (C&C) communication. One of the IP ranges, however, was observed in version 4.1.6, but the rest of them are brand new, it seems. Just as before, the security researchers explain, the malware broadcasts messages to all IP addresses via UDP.
Other changes in the new variant include the fact that it skips 640 bytes when encrypting a file (compared to 512 bytes before), and that it doesn’t encrypt files smaller than 2,560 bytes (compared to 1,024 bytes before). Moreover, the ransomware now also targets files that feature the .secret extension.
At the moment, the ransomware is being distributed via spam emails and exploit kits, specifically Rig-V exploit kit. As with the previous variants, the malware randomly generates encrypted file extensions using 4 random alphabetic letters.
The malware continues to search for databases and files related to them, and can encrypt various database file types, Check Point says. The malware drops a ransom note on the desktop to inform users on the infection, and also drops an interactive .hta file with information in different languages. The rest of the features are unchanged from the previous releases.