Two versions of the new Cerber 5.0 ransomware released in a few days

Security experts from the CheckPoint firm discovered two different variants of the new Cerber 5.0 ransomware in a few weeks.

Security experts have spotted a new variant of the dreaded Cerber ransomware, the Cerber 5.0. This is the third version of the malware released this week that is able to encrypt files on all accessible network shares.

The Cerber ransomware was first spotted in March, since then it rapidly evolved. In June, Cloud security provider Avanan spotted a number of Cerber Ransomware variants that were targeting corporate Office 365 users with spam or phishing emails leveraging on malicious file attachments.

Cerber 2.0 was spotted in August when it was offered in the criminal underground via the ransomware-as-a-service model.

The Cerber 4.0 appeared in the wild in October, in the same month experts observed it killing common database-related processes like those of the MySQL, Oracle and Microsoft SQL servers to encrypt files.

The Cerber 4.0 appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.

The Cerber 4.0 is becoming very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The latest, the Cerber 5.0 variant, included a .vbs file with a VBScript that implements a communication channel between victims and crooks.

Last week experts from CheckPoint security observed a rapid sequence of versions being released in the wild. Less than 24 hours after the release of the version 4.1.6, crooks distributed the Cerber 5.0 and the 5.0.1.

“Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.” reads the analysis published by the firm CheckPoint.

“A notable change introduced in this Cerber version is the new IP ranges used for command and control communication. Cerber uses one IP range which was also used in its last version (4.1.6), while the rest of the IP ranges are new.”

The Ceber 5.0 leverages new IP ranges for the command and control (C&C) communication, only one of them was exploited in version 4.1.6. The malicious code multicasts messages to all IP addresses via UDP.

Cerber is currently distributed via spam e-mail campaigns and exploit kits, mostly Rig-V Exploit Kit. The malware uses randomly generated extensions for the encrypted file (4 random alphabetic letters).

Cerber informs victims which version of the ransomware they’ve been encrypted by, via a ransom note dropped on the desktop.

Experts from CheckPoint security speculate that Cerber creators constantly improve their code to avoid security vendors’ counter-measures.

There is no doubt, Cerber 5.0 will have many other successors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 5.0, ransomware)