Three new versions of the Cerber ransomware family released this past week.
Ransomware infections keep rising and developers continue to bring changes to the malware. In this case, the most notable change in the new versions is the addition of new IP ranges in Cerber 5.0, Check Point researchers said.
Cerber takes a different approach to informing users that they have been infected by including a .vbs file with a VBScript that forces the compromised machine to speak to the victim. Adding the .CERBER extension to encrypted files, the threat scanned all accessible network shares for files to encrypt.
Used in huge campaigns worldwide, Cerber continued to upgrade since first being discovered in March. The ransomware had a second release in early August. Available to other cybercriminals via the ransomware-as-a-service model, researchers estimated Cerber was generating $2.3 million in annual revenue.
A new release, Cerber 4.0, came out about 45 days ago.
This past Thursday, researchers found version 5.0 of the ransomware going out, less than 24 hours after version 4.1.6 released, said Check Point researchers in a post.
Several hours later, version 5.0.1 also emerged, showing the malware’s developers are aggressively updating their software.
While analyzing Ceber 5.0, Check Point security researchers found it uses new IP ranges for the command and control (C&C) communication. One of the IP ranges, however, was observed in version 4.1.6, but the rest of them are new. Just as before, the malware broadcasts messages to all IP addresses via UDP, the researchers said.
Other changes in the new variant include the fact that it skips 640 bytes when encrypting a file (compared to 512 bytes before), and that it doesn’t encrypt files smaller than 2,560 bytes (compared to 1,024 bytes before), said Lawrence Abrams of Bleepingcomputer.com in a post. The ransomware now also targets files that feature the .secret extension.