U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Two versions of the new Cerber 5.0 ransomware released in a few days

Security experts from the CheckPoint firm discovered two different variants of the new Cerber 5.0 ransomware in a few weeks. Security experts have spotted a new variant of the dreaded Cerber ransomware, the Cerber 5.0. This is the third version of the malware released this week that is able to encrypt files on all accessible network […]

Two versions of the new Cerber 5.0 ransomware released in a few days

Security experts from the CheckPoint firm discovered two different variants of the new Cerber 5.0 ransomware in a few weeks.

Security experts have spotted a new variant of the dreaded Cerber ransomware, the Cerber 5.0. This is the third version of the malware released this week that is able to encrypt files on all accessible network shares.

The Cerber ransomware was first spotted in March, since then it rapidly evolved. In June, Cloud security provider Avanan spotted a number of Cerber Ransomware variants that were targeting corporate Office 365 users with spam or phishing emails leveraging on malicious file attachments.

Cerber 2.0 was spotted in August when it was offered in the criminal underground via the ransomware-as-a-service model.

The Cerber 4.0 appeared in the wild in October, in the same month experts observed it killing common database-related processes like those of the MySQL, Oracle and Microsoft SQL servers to encrypt files.

The Cerber 4.0 appeared in the wild delivered by several exploit kits, including RIGNeutrino, and Magnitude EKs.

The Cerber 4.0 is becoming very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The latest, the Cerber 5.0 variant, included a .vbs file with a VBScript that implements a communication channel between victims and crooks.

Last week experts from CheckPoint security observed a rapid sequence of versions being released in the wild. Less than 24 hours after the release of the version 4.1.6, crooks distributed the Cerber 5.0 and the 5.0.1.

“Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.” reads the analysis published by the firm CheckPoint.

“A notable change introduced in this Cerber version is the new IP ranges used for command and control communication. Cerber uses one IP range which was also used in its last version (4.1.6), while the rest of the IP ranges are new.”

The Ceber 5.0 leverages new IP ranges for the command and control (C&C) communication, only one of them was exploited in version 4.1.6. The malicious code multicasts messages to all IP addresses via UDP.

Cerber is currently distributed via spam e-mail campaigns and exploit kits, mostly Rig-V Exploit Kit. The malware uses randomly generated extensions for the encrypted file (4 random alphabetic letters).

Cerber informs victims which version of the ransomware they’ve been encrypted by, via a ransom note dropped on the desktop.

cerber 5.0

Experts from CheckPoint security speculate that Cerber creators constantly improve their code to avoid security vendors’ counter-measures.

There is no doubt, Cerber 5.0 will have many other successors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 5.0, ransomware)