Cerber Ransomware version 2 Released, Uses .Cerber2 Extension

[Petrovic]

A new variant of the Cerber Ransomware was discovered by panicall, a security researcher for Trend Micro, that has some significant changes in how it was programmed. Cerber Ransomware version 2 contains numerous internal changes as well as changes that will be apparent to the victim.

 

Noticeable Changes in Cerber v2
For the victim, the most apparent change will be that encrypted files will now have the .Cerber2 extension rather than the previously used .Cerber.

Cerber2 Encrypted Files

The installers that I have seen so far for the Cerber2 variant have been using an icon from the children's game called Anka. This will most likely change relatively soon.

Cerber / Anka Icon

 

The wallpaper has also been changed to a new background that looks like a pixelated screen as shown below. This wallpaper will state "Your documents, photos, databases, and other important files have been encrypted!".

Caption

Last, but not least, this version removes the weakness that allowed Trend Micro's Cerber Decryptor to possibly decrypt encrypted files.

 

Internal Changes to Cerber version 2
Internally a lot has changed with Cerber version 2. According to Panicall, the first change is that the ransomware now uses a packer to make it harder to detect and analyze.

It also changed the encryption to now use the Microsoft API CryptGenRandom to generate the key. Furthermore, the key being generated is 32 bytes rather than the 16 bytes use in previous versions. These changes make it so that Trend's Cerber Decryptor is not able to decrypt this version's encrypted files.

 

A portion of the current Cerber version 2 config extracted by Panicall is below. A full version can be found here. Thanks to Brendon Feeley for sharing the link.

{“av_blacklist”:[“arcabit”,”arcavir”,”avast software”,”bitdefender”,”bitdefender agent”,”bullguard ltd”,”bullguard software”,”ca”,”emsisoft anti-malware”,”escan”,”eset”,”etrust ez armor”,”f-secure”,”g data”,”kaspersky lab”,”lavasoft”,”trustport”]

“blacklist”:{“countries”:[“am”,”az”,”by”,”ge”,”kg”,”kz”,”md”,”ru”,”tm”,”tj”,”ua”,”uz”]

“check”:{“activity”:0,”av”:0,”country”:1,”language”:1,”vmware”:0},”close_process”:[“excel.exe”,”infopath.exe”,”msaccess.exe”,”mspub.exe”,”onenote.exe”,”outlook.exe”,”powerpnt.exe”,”steam.exe”,”sqlservr.exe”,”thebat.exe”,”thebat64.exe”,”thunderbird.exe”,”visio.exe”,”winword.exe”,”wordpad.exe”]

“network”:1,”new_extension”:”.cerber2″,”max_block_size”:2,”max_blocks”:5,”min_file_size”:6,”multithread”:1,”rc4_key_size”:256,”rsa_key_size”:880}

“global_public_key”:”LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==”,”

When I tested the sample, the current IP range being used by Cerber v2 for statistics over UDP is 31.184.234.0/23.

Article source