[18th August 2017]
Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.
A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.
A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.
Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.
[8th August 2017]
- TrendLabs: Cerber Ransomware Evolves Again, Now Steals From Bitcoin Wallets
- Zeljka Zorz for HelpNet: New Cerber ransomware variant steals Bitcoin wallets, passwords
[4th August 2017]
David Bisson for Tripwire: Cerber Ransomware Now Capable of Stealing Bitcoin Wallet Files
[3rd August 2017]
Jérôme Segura for Malwarebytes: Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain. Magnitude ‘is mainly used to deliver the Cerber ransomware to specific countries in Asia.’ Interesting techniques.
The Merkle: Cerber Ransomware Rebrands to CRBR Encryptor (appears to be a rebranding rather than any sort of upgrade.
[4th May 2017]
[April 3rd 2017]
SC Magazine: Cerber for servers: Apache Struts2 campaign targets servers with ransomware. See also the Struts group article.
[March 28th 2017]
TrendLabs: Cerber Starts Evading Machine Learning – ‘…it is now using a new loader that appears to be designed to evade detection by machine learning solutions….This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection.’
[March 6th 2017]
Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.
[15th February 2017]
David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?
See also notes on GoldenEye for a Cerber-like attack on HR departments (5th January 2017)
25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware
November 22nd 2016:
November 7th 2016:
Matthew Rosenquist, for McAfee: Cerber Ransomware Now Hunts for Databases
Commentary by Darren Pauli for The Register: Cerber ransomware menace now targeting databases – Why try to extract pennies from kiddies when there’s businesses to be bilked?
October 15th 2016
Trend Micro: Several Exploit Kits Now Deliver Cerber 4.0
October 5th 2016
Bleeping Computer reports on changes to Cerber in its new version: Cerber Ransomware switches to a Random Extension and Ends Database Processes
August 17th 2016
Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.
David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world
Help Net Security: The inner workings of the Cerber ransomware campaign
July 18th 2016
29th June 2016
7th June 2016
David Bisson for Graham Cluley’s blog: Cerber, the ransomware which talks to you, continues to evolve – New Cerber ransomware variant generates new hashes every 15 seconds.
[25th May 2016] A version of Cerber that incorporates a DDoS bot:
- Help Net: Cybercriminals add DDoS component to ransomware payloads
- Invincea: Two Attacks for The Price Of One: Weaponized Document Delivers Ransomware and Potential DDoS Attack
Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”
Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem
[27th April 2016] JÉRÔME SEGURA describes for Malwarebytes how Malvertising On The Pirate Bay Drops Ransomware: specifically, Cerber delivered via the Magnitude exploit kit. Commentary by Darren Pauli for The Register: Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads – There is no honour among content thieves. Meanwhile, Team Cymru takes A Look Inside Cerber Ransomware.