It was not long before the new Cerber ransomware which many seem to call version 4.0 received an overhaul. The new version now uses more optimized code for the modification and encryption of the infected computers and a new wallpaper stating it’s version to 4.1.0 and many other improvements. The virus however still uses the same README.hta file, just like the original version does. In case you have been infected by this updated strain of Cerber, calling itself 4.1.0 we advise you to immediately read this article and learn more about it and how to remove this iteration of the virus and in addition to this see our suggested alternative methods to try and restore your encrypted files.
|Short Description||This Cerber ransomware variant encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.|
|Symptoms||Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “README.hta” file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.|
|Detection Tool|| See If Your System Has Been Affected by Cerber 4.1.0 |
Malware Removal Tool
|User Experience||Join our forum to Discuss Crysis Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Technical Insight of The Cerber 4.1.0 Virus
The previous version of Cerber 4.1.1, named 4.1.0 does not have many differences when compared to the newer one. It is still as massively widespread as most Cerber iterations, like .cerber, .cerber2 and .cerber3 were and it is still using a random file extension like all of the Cerber 4.0 version. To better help you understand how the infection process by Cerber 4.1.0 works we have decided to explain it methodologically.
Stage 1: Distribution and Infection
In order to be spread it, the creators of Cerber ransomware have used a very common technique – exploit kit. And not just any exploit kit too – they have undertaken massive campaigns to spread their ransomware virus via a very advanced and notorious exploit kit – Rig EK. This type of collaboration also may involve the same people who are responsible for spreading Dridex malware and the 4.1.1 version’s malicious files. Whatever the case may be, you can get infected with Cerber most likely by clicking on a fake and malicious web link (URL). But how to get one to click on such web link.
Malware researchers have discovered several methods that may be used by cyber-criminals that could perform this and users should beware of those in the recent months to come:
- Malicious URLs posted and concealed behind Facebook posts that only appear to be legitimate. Some Facebook viruses may take over whole profiles or create duplicate ones to make the posts seem more legitimate.
- Web links posted via referral spam as comments on online forums and websites.
- URLs that may be posted if your computer has been infected by other malware or a PUP (Potentially Unwanted Program).
- Malicious web links that may have been displayed as fake search results by suspicious search engines.
- URLs concealed behind fake social media buttons or others sent out as e-mail spam.
There are many other methods to cause an infection via a URL, but these ones are the primary ones which researchers warn us about. As soon as the future victim’s computer has connected to the malicious URL, a so-called drive-by-download is administered, meaning that RIG Exploit Kit downloads and opens automatically after which causes the infection.
After infection has been caused, the RIG Exploit Kit automatically connects to the web, more specifically to Cerber’s hosting web servers to download the payload of the virus. And these severs are not one or two, but in the tens, even hundreds, due to the fact that the ransomware uses advanced spamming methods.
After the exploit kit downloads the payload of Cerber 4.1.0 it may situate it in the commonly used Windows folders and from there start injecting malicious scripts into legitimate Windows processes to perform malicioius activities. The malicious payload may have different file formats as well as different names, for example:
Stage 2: Post Infection Activity of Cerber 4.1.1
After infection, Cerber may modify the Registry Editor of Windows where it has the chance of creating custom registry entries that may change the wallpaper, run the malicious executable responsible for the encryption of the files and perform other activities. The targeted registry entries by this iteration of Cerber most likely are:
After having modified all of the registry entries, the virus may begin the encryption procedure. The encryption procedure may not be as sophisticated as it may seem, but it generally has support for the widely used file types, like:
- Audio files.
- Image files.
- Database files.
- Microsoft Word sheets.
- Microsoft Excel documents.
- Power Point presentations.
- Files associated with Adobe Photoshop.
- Database files associated with different programs.
- Virtual drives.
- E-mail files (Microsoft Outlook).
After the files are encrypted they assume the typical for v4 Cerber variants random file extension with A-Z 0-9 symbols as well as changed file names:
After this has been done, Cerber ransomware changes the wallpaper with it’s distinctive 4.1.0 notification.
The note prompts users to open the Cerber 4.1.0 payment page, which includes more instructions on how to pay the ransom:
Remove Cerber 4.1.0 Ransomware and Restore Randomly Encrypted Files
The bottom line is that Cerber is continuing to evolve and rather fast almost as if it is competing with the other big “player” in the ransomware world – the Locky virus. Anyone who has become an unfortunate victim and sees the above image as a wallpaper is advised to immediately remove the virus and try the alternative methods in step “2. Restore files encrypted by Cerber 4.1.0” below.