Cerber3 ransomware virus is already a fact, as accountable by several tweets by security researchers. The crypto virus is most likely appending the .cerber3 extension to victims’ encrypted files. The ransom note is titled # HELP DECRYPT #.txt. Not too long ago, the Cerber2 virus was reported to target and encrypt at least 50 file types, giving the victim 5 days to pay the ransom in the size of $175 in Bitcoin. If the victim crosses the given time, the amount is said to double. It’s still not known if Cerber3 continues the “tradition” established by its predecessor Cerber2, but we will provide new information as soon as it is available.
Cerber3 Virus Campaign – How Did It Start?
Cerber2 is still active in the wild but it’s expected for cyber criminals to terminate the operation and delete encrypted files of victims who haven’t paid the ransom.
The Cerber virus is also part of the ransomware-as-a-service scheme, which means that somebody may have bought and updated its code, hence the emergence of Cerber3. A vast report by security firm CheckPoint indicates that Cerber is definitely a quickly evolving RaaS operation. The highly profitable business of ransomware is no longer reserved only for skilled attackers who can write sophisticated encryption schemes and establish a steady infrastructure, researchers say. Particularly with Cerber3, non-professional cyber criminas may have connected with developers in closed forums. This is how the attackers could have obtained an undetected ransomware variant. This may be how the Cerber3 version emerged.
Researchers also report that Cerber affiliates currently operate 161 active campaigns, infecting 150,000 victims. The profit of the operation is said to be $195,000 for July 2016 alone. The worst part is that each campaign runs separately and uses a different distribution method and unique packer. According to CheckPoint, the most notable campaign primarily targets users in China and South Korea (Republic of Korea) and deployed the Magnitude Exploit Kit. Exploit kits have proven to be the best way to distribute ransomware. Cerber3 may be currently sold bundled with an exploit, be it Magnitude or some other, which means that the attack level may quickly reach a new high.
[CheckPoint] first discovered Cerber’s ecosystem thanks to an advertisement published by a threat actor named ‘crbr’ in February 2016, offering potential actors the opportunity to join the Cerber affiliates program. The ad was last edited in June 2016, indicating the ransomware is still available for purchase and that the information is up-to-date. The ad includes an extensive and accurate explanation about the malware itself, the landing pages, the partnership program through which the malware is sold, and the estimated profit.
Here is a translated version of crbr’s ad:
Q: Can I Encrypt .cerber3 Virus Files?
A: Having in mind that Cerber2’s encryption was quite successful and undecryptable, files encrypted by Cerber3 may also be impossible to decrypt.
However, we have already written a detailed tutorial for victims of Cerber, explaining how to decrypt files encrypted by the Cerber ransomware virus.
Users who are affected by Cerber3 are strongly advised to remove the ransomware from their systems. It is highly recommended to use an advanced anti-malware software because the ransomware may self-delete itself after encryption, but the exploit kit may still be residing on the computer. For maximum effectiveness, we recommended you to use the step-by-step removal below. Alternative file restoration methods are also available in the accordion below.