Cerber 4.0 Ransomware

The Cerber 4.0 Ransomware is an update to the Cerber Ransomware family that expands this threat's capacity for encrypting files, as well as changes other, aesthetic details of its ransom-based operation. Malware researchers can confirm that the Cerber 4.0 Ransomware's primary distribution models are using in-browser exploits that con artists are delivering through compromised websites. Since there is no working decryptor for this threat, PC owners should use anti-malware protection to find or remove the Cerber 4.0 Ransomware and backups for data restoration.

A Halloween Fright for Your PC

Despite being illegal, black market software, including various forms of Trojans, have their development and maintenance motivated by finance just as much as ordinary merchandise. The Cerber Ransomware family is one of the most significant threat groupings of Trojan authors racing to meet both the demand for their products by other con artists, as well as the need to outpace modern security solutions. Immediate updates to the family include the Cerber2 Ransomware, Cerber3 Ransomware, and, for October, the Cerber 4.0 Ransomware, among other branches.

Malware experts found few changes to the Cerber 4.0 Ransomware's essential payload, which persists with the business model of encrypting a PC's files and, then, displaying ransom messages expecting you to pay for a decryptor. However, the Cerber 4.0 Ransomware does include a new process-terminating feature for programs such as the Firefox's configuration editor, letting the Trojan close and incorporate them as prospective encryption targets, instead of ignoring them.

The Cerber 4.0 Ransomware also uses a new extension consisting of four randomly-generated characters, potentially confusing any attempts to identify the responsible Trojan. Past versions of the Cerber Ransomware most often use extension strings that identify the Trojan's family (such as '.cerber3'). Another, minor change switches the Cerber 4.0 Ransomware's ransom message to an advanced HTA format, instead of HTML, which gives the message more options for interactivity and text displays.

Taking the Fear out of a Fall's Threat

Other PC security companies have provided utilities for decrypting files encoded by past versions of the Cerber Ransomware, most likely via compromising the back-end infrastructure of the Trojan's campaign. However, since then, the Trojan family's developers have provided multiple updates for the threat, none of which, including the Cerber 4.0 Ransomware, have available decryption solutions publicly. Protecting your computer from the Cerber 4.0 Ransomware's known infection routes, and making frequent backups, are the defenses malware experts recommend as being most reliable.

The Cerber 4.0 Ransomware bases itself on a RaaS (or Ransomware-as-a-Service) business model in which other con artists may pay and distribute the Trojan as they see fit. However, current Cerber 4.0 Ransomware installations focus on delivery methods via exploit kits, including the RIG Exploit Kit, Magnitude, and the Neutrino Exploit Kit. All of these EKs have previous ties to this Trojan's family and can trigger through corrupted Web advertisements, and similar Web content. PC users who patch their software and use anti-malware products with Web protection features should be immune to these drive-by-downloads or be able to delete the Cerber 4.0 Ransomware immediately.

Threats like the Cerber 4.0 Ransomware are not a 'one and done' form of threats. PC operators need to pay just as much attention to updating their security protocols as threat authors do to updating their campaigns, or else they may pay a steep price for being behind the times.

Technical Details