Malware News New Cerber Ransomware v4.0 Sold Online

BoraMurdar

BoraMurdar

Super Moderator
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
ovOvqp3.png


There's always something happening in "Ransomwareland" and the latest update we have from this area of the cyber-crime underground is related to the highly-efficient and hugely popular Cerber ransomware, which recently received a major update with the release of v4.0.

Right there with Locky and CryptXXX, Cerber is one of today's most active ransomware threats, with constant updates aimed at changing the ransomware's signature and mode of operation in order to allow it to pass undetected by security software as much as possible.

Cerber has received major updates for the past three months
Released at the start of 2016, Cerber has spent a lot of time at v1.0, with small updates here and there, but never something major.

Something change behind the scenes this summer, in August, an event after which the ransomware has received major updates at the beginning of each month.

Crooks released Cerber v2.0 at the start of August, then Cerber v3.0 at the start of September, and now they've released Cerber v4.0, which according to security researcher Kafeine, they're selling online as part of a rentable Ransomware-as-a-Service platform.

Cerber v4.0 available online as a RaaS service
The ads, written in Russian, and available at the end of this article, provide a series of clues of what's new in Cerber v4.0.

Kafeine says he spotted the ads on October 1, at the same time new Cerber versions started appearing on his radar.

Three days later, other security researchers also noted the launch of this new version, who among other things, featured a new ransom note, new Tor payment URLs, the usage of a random file extension instead of the previous .CERBER3, and a focus on shutting down database processes so it could steal DB data.

Cerber v4.0 distributed via three major malvertising campaigns
According to Trend Micro, Cerber v4.0 is already infecting users, being distributed via at least three major malvertising campaigns.

The first campaign originates from the Magnitude exploit kit, which is a private exploit kit deployed by one gang. There is no surprise seeing Magnitude push Cerber v4 before everyone else, since the Magnitude gang has been one of Cerber's early adopters, and have been pushing only Cerber and no other ransomware, ever since Cerber first came out.

The second malvertising campaign is tracked as PseudoDarkleech, and before switching to Cerber v4.0, these crooks distributed the CrypMIC and CryptXXX ransomware families for months. This group currently uses the RIG exploit kit, after previously dropping the Neutrino exploit kit.

But Neutrino is not dead and appears to have gone private, just like Magnitude. According to Trend Micro, Neutrino is behind a smaller malvertising campaign who is also pushing Cerber v4.0.

To fend off ransomware infections, Trend Micro has probably one of the best advice we've seen anywhere.

“ Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained. ”
Click to expand...
 
  • Like
Reactions: Niente, shukla44, Deleted member 2913 and 10 others
Exterminator

Exterminator

Level 85
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
There's always something happening in "Ransomwareland" and the latest update we have from this area of the cyber-crime underground is related to the highly-efficient and hugely popular Cerber ransomware, which recently received a major update with the release of v4.0.

Right there with Locky and CryptXXX, Cerber is one of today's most active ransomware threats, with constant updates aimed at changing the ransomware's signature and mode of operation in order to allow it to pass undetected by security software as much as possible.

Cerber has received major updates for the past three months
Released at the start of 2016, Cerber has spent a lot of time at v1.0, with small updates here and there, but never something major.

Something change behind the scenes this summer, in August, an event after which the ransomware has received major updates at the beginning of each month.

Crooks released Cerber v2.0 at the start of August, then Cerber v3.0 at the start of September, and now they've released Cerber v4.0, which according to security researcher Kafeine, they're selling online as part of a rentable Ransomware-as-a-Service platform.

Cerber v4.0 available online as a RaaS service
The ads, written in Russian, and available at the end of this article, provide a series of clues of what's new in Cerber v4.0.

Kafeine says he spotted the ads on October 1, at the same time new Cerber versions started appearing on his radar.

Three days later, other security researchers also noted the launch of this new version, who among other things, featured a new ransom note, new Tor payment URLs, the usage of a random file extension instead of the previous .CERBER3, and a focus on shutting down database processes so it could steal DB data.

Cerber v4.0 distributed via three major malvertising campaigns
According to Trend Micro, Cerber v4.0 is already infecting users, being distributed via at least three major malvertising campaigns.

The first campaign originates from the Magnitude exploit kit, which is a private exploit kit deployed by one gang. There is no surprise seeing Magnitude push Cerber v4 before everyone else, since the Magnitude gang has been one of Cerber's early adopters, and have been pushing only Cerber and no other ransomware, ever since Cerber first came out.

The second malvertising campaign is tracked as PseudoDarkleech, and before switching to Cerber v4.0, these crooks distributed the CrypMIC and CryptXXX ransomware families for months. This group currently uses the RIG exploit kit, after previously dropping the Neutrino exploit kit.

But Neutrino is not dead and appears to have gone private, just like Magnitude. According to Trend Micro, Neutrino is behind a smaller malvertising campaign who is also pushing Cerber v4.0.

To fend off ransomware infections, Trend Micro has probably one of the best advice we've seen anywhere.

Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
Click to expand...
 
  • Like
Reactions: frogboy, shukla44, Deleted member 2913 and 9 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Mr.X said:
So no news on how to get a sample?
Click to expand...
Haven't come across one now, either wait for the next pack at the Vault where it's likely one can come across or have a look at Hybrid Analysis, there is an option to search for the names of samples, too. In any case, you need an account to download in case the sample is not set private.
 
  • Like
Reactions: harlan4096, Mr.X and frogboy
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,497
Security News
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
Malware News Ransomware gang targets IT workers with new SharpRhino malware
Replies
0
Views
2,233
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Malware News Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
Replies
13
Views
2,916
Security News
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top