Cerber 4.0 Ransomware

Cerber 4.0 Ransomware Description

The Cerber 4.0 Ransomware represents the next generation in development of the '.cerber' line of encryption Trojans. The Cerber 4.0 Ransomware joins other threats like the ORX-Locker and the Stampado Ransomware, which are offered as Ransomware-as-a-Service package. The RaaS business was pioneered by Encryptor RaaS in early 2015 and the developers of Cerber want a share of the market for ransomware. It appears that the coders behind the Cerber 4.0 Ransomware decided to open their product to foreign programmers and benefit from the expanded distribution network.

A New JS Loader, New Obfuscation Layers, Customizable Encryption Engine and More

The Cerber 4.0 Ransomware is said to boast several significant improvements compared to the Cerber v3. The Cerber v4 creates a unique file extension marker for every victim, and the Trojan is programmed to bypass all security mechanisms employed by modern AV products. An updated encryption engine is combined with new layers of obfuscation and a JS loader to ensure a hassle-free operation of the Cerber 4.0 Ransomware. The makers of the Cerber v4 offer several strands of their threat for distribution to potential customers. Researchers note that the new Cerber Trojan shifted from a TXT-based ransom note to an HTA format that offers extended functionality and customization. Cyber crooks that wish to deploy their brand of ransomware are welcomed to buy the original Cerber engine and add a personal touch. You can find an example of the new ransom message below:

'CERBER RANSOMWARE
Instructions
Can't you find the necessary files?
Is the content of your files not readable?
It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".
It means your files are NOT damaged! Your files are modified only. This modification is reversible.
From now it is not possible to use your files until they will be decrypted.
The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor".
Any attempts to restore your files with the third-party software will be fatal for your files!
You can proceed with purchasing of the decryption software at your personal page:
[links to pages on the TOR Network]
If this page cannot be opened click here to generate a new address to your personal page. '

A Upgraded Distribution Network for the Cerber V4

The Cerber 4.0 Ransomware is deployed to users via spam emails loaded with macro-enabled documents and malvertising. Reports from several AV vendors and Web filtering services reveal that the Cerber 4.0 Ransomware is delivered to users via unsafe advertisements on compromised sites, casino-themed gaming portals, and pages with adult-rated content. In most cases, the RIG Exploit Kit is used to inject the Cerber v4 into vulnerable systems with outdated software and bad port configuration. The RIG EK gained popularity while spreading other threats including the CrypMIC Ransomware and switched to Cerber on October 1st 2016. We should add another exploit kit to the tools used to spread the Cerber 4.0 Ransomware, which is Neutrino. The Neutrino EK became quite popular thanks to a success in deploying the CryptXXX Ransomware.

Computer users can protect their OSes from variants of the Cerber 4.0 Ransomware by creating backups regularly and keeping their software up-to-date. Using an ad-blocker may limit the attack surface for the cyber crooks that utilize malvertising to spread the Cerber v4 as well. However, your first line of defense should be a trusted anti-malware shield that can filter your connection to the Internet and prevent ransomware from loading in Windows.

Technical Information

File System Details

Cerber 4.0 Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %ALLUSERSPROFILE%_README_HRZVCO6_.hta 67,748 16b5a4fe87e1a3eec470a47a33c6630e 61
2 %APPDATA%_README_IAXO29_.hta 67,748 57acadeabfc8883af78bbeb9dc2199bf 21
3 %APPDATA%_HELP_HELP_HELP_QUCBCBS1_.hta 75,864 c042f1d91619e9b4f91bf1e1b78fee85 14
4 %USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_RSHI_.hta 75,904 a46e5f2ce8a20bbb8548959debb9ac0c 10
5 %USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_STOV8H1_.hta 75,864 1632ca0953d5499bf251455159a80ea0 6
6 %APPDATA%amanda.exe 186,301 5d01ac55674af365c67d4579b38fbe75 5
7 %APPDATA%_HELP_HELP_HELP_ND8FZ.hta 75,787 041ef4b6a12e0b3165172884301b0d1e 5
8 %APPDATA%_HELP_HELP_HELP_Z49XU_.hta 75,862 243d0fd4f4bee5f11698c20d43b958ff 4
9 %APPDATA%_HELP_HELP_HELP_XJ7UC8.hta 75,787 4ab1a256a5115d00fa7a3222936ddc03 3
10 %APPDATA%_HELP_HELP_HELP_WMB7F1L.hta 75,787 9befacccf34d60ad1f141e531ddbba52 3
11 %APPDATA%_HELP_HELP_HELP_XFCV_.hta 75,904 01ec9e50d17de043a23997d6562293ad 3
12 %APPDATA%_HELP_HELP_HELP_2AK4U21_.hta 75,898 55790c64ce1ff75647d5cadcadf3876e 3
13 %SystemDrive%\Users\erik\AppData\Roaming\Larry.dll 64,000 c8345f17fe15861cca78b45414357f6c 2
14 %APPDATA%_HELP_HELP_HELP_3NNARI.hta 75,787 0ef13a9213c456db231825061eec294c 2
15 %APPDATA%_HELP_HELP_HELP_L41VV_.hta 75,864 c63b4a524713e4c5f3802463cb46dab8 2
16 %APPDATA%_READ_THI$_FILE_L81EB65A_.hta 77,010 2a6828d2ba37bb97efb4773619b80715 2
17 %APPDATA%_HELP_HELP_HELP_KJ2P.hta 75,787 6689ad9f43ab19a1ccfad9db6a16b772 1
18 %APPDATA%_HELP_HELP_HELP_IGTRU.hta 75,787 c1ea46e1877d089983a4d9060997b04f 1
19 %APPDATA%_HELP_HELP_HELP_5B3HEZ6.hta 75,787 b10e6f69d0c16008410b5c8cfaae0138 1
20 %APPDATA%_HELP_HELP_HELP_8EWN8.hta 75,787 6f59455817d32c34ae35aac63043f285 1
21 %APPDATA%_HELP_HELP_HELP_2R9I63OS.hta 75,787 a2daec078c54bb6bc5e96038a1506f2c 1
22 %APPDATA%_HELP_HELP_HELP_UYUR4YE.hta 75,794 bc0c75128b9cbc02c8c053c1155fb6d9 1
23 %SystemDrive%\Documents and Settings\STEVE\Application Data\_HELP_HELP_HELP_CKJ4GL.hta 75,787 99d3fc208d3623107cfb18a9069e23bd 1
24 %APPDATA%_HELP_HELP_HELP_SUXEZY_.hta 75,904 5190e890725bf431ba44001e190c70f5 1
25 %APPDATA%_HELP_HELP_HELP_GLP9_.hta 75,864 5f7533c663ddb4c0ae4dbbaafb50d491 1
26 %APPDATA%_HELP_HELP_HELP_HUUKTW_.hta 75,864 0224da72bc3638b351cf509cdfc443c2 1
27 %APPDATA%_READ_THI$_FILE_DB3DT9_.hta 77,053 7476a75b0680d99f5338b886bc7def62 1
28 %APPDATA%wP6fT.exe 322,560 731279e3c09f8e52a849c0a9c1043bb5 1
More files

Registry Details

Cerber 4.0 Ransomware creates the following registry entry or registry entries:
File name without path
# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.url
# DECRYPT MY FILES #.vbs
_README_.hta

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.