New strain of Cerber ransomware arrives in time for Christmas

This latest version has relatively more changes as compared to the previous versions

Tags: Cyber crime
  • E-Mail
New strain of Cerber ransomware arrives in time for Christmas Cerber's new multithreading approach consists of two units: the file list generation unit and the file encryption unit.
By  Aasha Bodhani Published  December 15, 2016

Fortinet has discovered a newer strain of Cerber has arrived with the aim to make more money during the festive season.

It appears to have relatively more changes as compared to the previous versions, such as the version number has now been removed from the desktop wallpapers of the infected machines which now means it is harder to track compared to before. Furthermore, the modified wallpaper now appears with a Christmas colour theme, plus this version of Cerber has improved its efficiency of searching for encrypting files.

Just as before, this new version of Cerber drops instruction files to notify the user that their files have been encrypted, and also tells the user how to pay for and get the decryptor. However, the name of the instruction file has been changed from "_README_.hta" (Cerber 5.0.1) to "_README_{random string}_.hta".  Appending random characters or numbers to the instruction filename would disable some simple AV detections, such as the detection of hardcoded filenames.

Cerber's new multithreading approach consists of two units: the file list generation unit and the file encryption unit. The file list generation unit searches files and adds them to a file list, which is a shared resource among all threads of both units. The file encryption unit fetches files from the file list and encrypts them. 

The file list generation unit creates one file searching thread per drive. Each thread is only responsible for searching the files in its corresponding drive. If a valid file is found and certain conditions are met, the file will be added to a file list. It is important to note that all threads share and add files to the same file list if there are multiple threads. 

The file encryption unit creates two threads for every processor of the infected machine. The number of processors is obtained by calling the API GetSystemInfo.  Each encryption thread fetches a file from the shared file list one at a time, and then encrypts the file. 

Both units run concurrently so that the file encryption unit begins to fetch files as soon as the file list generation unit adds files to the shared file list. This new multithreading approach appears to be more efficient at searching for and encrypting files as compared to its previous versions. The reason behind this is that the most time-consuming components are now run in separate threads and run in parallel.

Many versions of the Cerber ransomware have been released since its first appearance. Despite the high frequency of updates, some previous versions had few changes as compared to their respective predecessors. However, this new unversioned Cerber release appears to have more significant changes.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code