Wednesday 24 July 2024

New version of Cerber ransomware detected

DUBAI, December 15, 2016

A new unversioned Cerber ransomware has surfaced with relatively more changes as compared to the previous versions, according to Fortinet, a leading provider of fast and secure cyber security solutions.

The version number has now been removed from the desktop wallpapers of the infected machines, and this new Cerber release no longer has an apparent version number, which might make the tracking of the Cerber family more difficult than before.

Another noticeable change is that the modified wallpaper now comes with a Christmas colour theme. It also appears to have improved the efficiency of searching for and encrypting files.  Moreover, it extends its encryption coverage by adding more file extensions to the file extension list.

The version number of this new Cerber is no longer displayed on the desktop wallpaper. The text highlight is now red and the text is white, as shown in the figure below. Cerber versions 4 and 5 used to have fluorescent green text highlighted in black. The wallpaper of Cerber 5.0.1 is also shown below for comparison.

Modified instruction filename

Just as before, this new version of Cerber drops instruction files to notify the user that their files have been encrypted, and also tells the user how to pay for and get the decryptor. However, the name of the instruction file has been changed from “_README_.hta” (Cerber 5.0.1) to “_README_{random string}_.hta”.  Appending random characters or numbers to the instruction filename would disable some simple AV detections, such as the detection of hardcoded filenames.

Enhanced multithreading approach

This new Cerber release has further improved its multithreading approach. The new multithreading approach consists of two units: the file list generation unit and the file encryption unit. The file list generation unit searches files and adds them to a file list, which is a shared resource among all threads of both units. The file encryption unit fetches files from the file list and encrypts them.

The file list generation unit creates one file searching thread per drive. Each thread is only responsible for searching the files in its corresponding drive. If a valid file is found and certain conditions are met, the file will be added to a file list. It is important to note that all threads share and add files to the same file list if there are multiple threads.

The file encryption unit creates two threads for every processor of the infected machine. The number of processors is obtained by calling the API GetSystemInfo.  Each encryption thread fetches a file from the shared file list one at a time, and then encrypts the file.

Both units run concurrently so that the file encryption unit begins to fetch files as soon as the file list generation unit adds files to the shared file list. This new multithreading approach appears to be more efficient at searching for and encrypting files as compared to its previous versions. The reason behind this is that the most time-consuming components are now run in separate threads and run in parallel.

Many versions of the Cerber ransomware have been released since its first appearance.  Despite the high frequency of updates, some previous versions had few changes as compared to their respective predecessors.

However, this new unversioned Cerber release appears to have more significant changes. “We expect to see more aggressive updates soon,” Fortinet said. – TradeArabia News Service

Tags: Fortinet | Ransomware |

More IT & Telecommunications Stories

calendarCalendar of Events