August 9, 2016 By Larry Loeb 2 min read

Just as they did in earlier this summer, Cerber ransomware’s authors updated to a new variant by messing around with the ransomware decryption used in their criminal efforts.

Quirky From the Start

From its inception, Cerber has been a quirky and unique take on ransomware. It evades the most common antivirus checkers by updating its hash all the time. With a changed hash, the antivirus product lacks a signature to compare the malware against.

Because the malware is not explicitly on the blacklist, most antivirus products let it pass. Cerber is one of very few malware programs that has managed to pull off this kind of rapid hash change.

The malware authors have also shown they will change and revise things as needed. One such pivot was required after Trend Micro devised a free decryptor tool that cracked the first version of Cerber wide open. For a while, this threw a wrench into the criminals’ method of holding files hostage and getting money for the key.

Ransomware Decryption Is No Match

The malware authors went back to the lab yet again and emerged with new malware that has since been detected by security researchers. It shows evidence of massive alterations having been liberally applied to the program.

“Cerber v2 uses the CryptGenRandom Microsoft API to generate encryption keys, which are now 32 bytes long instead of 16 bytes,” reported Softpedia. Its new configuration also prevents the ransomware from running on PCs with certain types of security software.

Softpedia added that Cerber will not launch if it detects OS languages for the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan.

One researcher involved in the Trend Micro effort noted that there was no solution available for the latest Cerber ransomware variants. Users can only hope that security firms are trying to replicate past success by creating a ransomware decryption tool for the more sophisticated version of this malware.

More from

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

The future of cybersecurity: What to expect at Black Hat 2024

3 min read - The cybersecurity landscape continues to evolve at a breakneck pace. New threats emerge daily, and the stakes have never been higher, especially as artificial intelligence (AI) is infused into every aspect of business. As security and business leaders, it's crucial to stay ahead of the curve and ensure your organization is equipped to handle the ever-changing threat landscape. For over two decades, Black Hat has been the premier gathering of cybersecurity professionals, providing a platform for experts to share knowledge,…

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today