You may know Cerberus often called the “hound of Hades”, a monstrous multi-headed dog but in this case, Cerber is one nasty ransomware locking files and making it hard for victims to recover their data.
Lately, we have been hearing a lot and quite often about the Cerber ransomware, which so far has proven to be this year’s most prevalent ransomware family. Reportedly, Cerber ransomware accounted for over one-quarter of the total ransomware detections in the past three months and has generated $2.3 million annual revenue.
Now, we hear that this particular ransomware has become even more powerful with its improved key generation back in August and the capability of using random extensions for encrypted documents. However, the most devastating of them all is that the latest version of Cerber ransomware can kill database servers’ processes with these enhanced capabilities. It is called Cerber 3.0 while the extension it uses for encrypted documents is dubbed as .cerber3.
Bleeping Computer reports that the ransomware can kill many database processes through the close process directive present in its configuration file. The ransomware terminates all or some of the processes prior to starting the data encryption process. This way, it can encrypt data files of the processes as well since the data file wouldn’t be available for encryption if the process was active.
Previously, Cerber was distributed via exploit kits, malware scams and spam emails. From September onwards, researchers have noticed a change in its distribution trend. It is now being distributed by Betabot. In its latest version, the ransom amount has been reduced and the ransom note has also been modified but even in this version, the victims are contacted via an audio file.
The Cerber 3.0 uses a four-character extension now, which is randomly generated and the encrypted file’s name is also scrambled to make data recovery really difficult if not impossible. Moreover, the ransom note is dubbed as README.hta.
The list of the processes targeted by Cerber 3.0 is as follows:
“msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, andsqbcoreservice.exe.”
— Michael Gillespie (@demonslay335) October 2, 2016
Similar to its previous versions, the new Cerber ransomware version also sends UDP packets to the 188.8.131.52/23 range.