FortiGuard Labs Threat Research

The First Major Update of Cerber 4 Ransomware Has Surfaced

By Sarah (Qi) Wu and Jacob (Kuan Long) Leong | October 31, 2016

Cerber 4.1.0 is already here!  In this blog we will share information about this updated version uncovered by Fortinet, including its differences and similarities compared to previous versions. 

Cerber is a classic ransomware tool that encrypts victims’ files and then demands payments to decrypt them. Victims are given a period of time for making the payments and then (hopefully) having their original unencrypted files restored.

Cerber marks encrypted files with a specific extension. In previous versions (Cerber 2 and 3), encrypted files were marked with .cerber2 and .cerber3, respectively.  For this version, encrypted files are marked with a four-character extension.  This four-character extension is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key.  For instance, the file extension will be AAAA if the MachineGuid value is xxxxxxxx-xxxx-xxxx-AAAA-xxxxxxxxxxxx. 

Figure 1.  File extensions and “MachineGuid” value

Instruction files are dropped to notify the victims that their files have been encrypted, and to explain how to pay the ransom. The instruction file of this version has the same filename ”README.hta” as in previous versions, and the format remains the same.

Cerber also changes the wallpaper of infected machine to notify victims that they have been compromised. As explained above, previous indicators of Cerber versions were the file extensions of encrypted files. This is no longer the case for versions after Cerber 4, since now there is no fixed file extension. Instead, the version number is displayed on the modified wallpaper.

Figure 2. Modified wallpaper for Cerber 4.1.0

It appears that the code in this latest version has been optimized as compared to Cerber 4.0.2.  An example is shown below.

Figure 3.  An example of the code optimization


New versions are being released very quickly. Cerber 3 evolved into Cerber 4 in just one month, and Cerber 4.0.x has evolved into 4.1.x in just a few days!  Our ART team will continue to track this ransomware family and share any new developments we come across.

Sample Information

MD5:    ec667d4f3b4d9c8f161e3c89f5a670a0

SHA256: 85746169de9601fa5109bd59c1673313d666624c724639d3e3029e621ecbab88

Fortinet AV Detection Signature: W32/Cerber.HH!tr