Cerber 4.0 Ransomware

Cerber 4.0 Ransomware Description

The Cerber 4.0 Ransomware represents the next generation in development of the '.cerber' line of encryption Trojans. The Cerber 4.0 Ransomware joins other threats like the ORX-Locker and the Stampado Ransomware, which are offered as Ransomware-as-a-Service package. The RaaS business was pioneered by Encryptor RaaS in early 2015 and the developers of Cerber want a share of the market for ransomware. It appears that the coders behind the Cerber 4.0 Ransomware decided to open their product to foreign programmers and benefit from the expanded distribution network.

A New JS Loader, New Obfuscation Layers, Customizable Encryption Engine and More

The Cerber 4.0 Ransomware is said to boast several significant improvements compared to the Cerber v3. The Cerber v4 creates a unique file extension marker for every victim, and the Trojan is programmed to bypass all security mechanisms employed by modern AV products. An updated encryption engine is combined with new layers of obfuscation and a JS loader to ensure a hassle-free operation of the Cerber 4.0 Ransomware. The makers of the Cerber v4 offer several strands of their threat for distribution to potential customers. Researchers note that the new Cerber Trojan shifted from a TXT-based ransom note to an HTA format that offers extended functionality and customization. Cyber crooks that wish to deploy their brand of ransomware are welcomed to buy the original Cerber engine and add a personal touch. You can find an example of the new ransom message below:

Can't you find the necessary files?
Is the content of your files not readable?
It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".
It means your files are NOT damaged! Your files are modified only. This modification is reversible.
From now it is not possible to use your files until they will be decrypted.
The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor".
Any attempts to restore your files with the third-party software will be fatal for your files!
You can proceed with purchasing of the decryption software at your personal page:
[links to pages on the TOR Network]
If this page cannot be opened click here to generate a new address to your personal page. '

A Upgraded Distribution Network for the Cerber V4

The Cerber 4.0 Ransomware is deployed to users via spam emails loaded with macro-enabled documents and malvertising. Reports from several AV vendors and Web filtering services reveal that the Cerber 4.0 Ransomware is delivered to users via unsafe advertisements on compromised sites, casino-themed gaming portals, and pages with adult-rated content. In most cases, the RIG Exploit Kit is used to inject the Cerber v4 into vulnerable systems with outdated software and bad port configuration. The RIG EK gained popularity while spreading other threats including the CrypMIC Ransomware and switched to Cerber on October 1st 2016. We should add another exploit kit to the tools used to spread the Cerber 4.0 Ransomware, which is Neutrino. The Neutrino EK became quite popular thanks to a success in deploying the CryptXXX Ransomware.

Computer users can protect their OSes from variants of the Cerber 4.0 Ransomware by creating backups regularly and keeping their software up-to-date. Using an ad-blocker may limit the attack surface for the cyber crooks that utilize malvertising to spread the Cerber v4 as well. However, your first line of defense should be a trusted anti-malware shield that can filter your connection to the Internet and prevent ransomware from loading in Windows.

Infected with Cerber 4.0 Ransomware? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect Cerber 4.0 Ransomware
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics

Our MalwareTracker shows malware activity across the world. Explore real-time data of Cerber 4.0 Ransomware outbreaks and other threats from global to local level.

File System Details

Cerber 4.0 Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{BC938CB2-9C1B-4D74-24DE-2E5EC4C86636}\dcomcnfg.exe 727,846 dc68c7b1c3042dd4d40ee946dee1981a 4,200
2 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{D356F669-87E8-7418-7B35-4816AA44C40C}\LocationNotifications.exe 782,080 031a213144c5ff102217ddc00adf66d0 1,869
3 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{2B00BCC3-42B1-1D8E-FBA1-383F3D0BDE8C}\help.exe 439,427 22b3148a9cbfa38086e8f683c95964f9 1,598
4 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{1AA55626-AC56-4563-CBB6-A483C4E722F7}\Utilman.exe 204,434 056f18639bf6adea8c35cfc5e32cd0e3 1,089
5 %APPDATA%\{11639717-8C09-D566-9EF6-AD45260A8C71}\ReAgentc.exe 195,204 4655d3e3498f075562f14ba38b2f5e60 802
6 %APPDATA%\{2F3AA0F6-976C-4b02-A66A-5D1DEA00811F}\InstallHelp.exe 945,152 4ed76fc058b1017fcb0da50f0750e487 584
7 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{62E00AE3-5835-75AF-A74E-DAB5F6089633}\shrpubw.exe 188,039 356ea1ee79f9c1f7a4b713028c7f20b5 578
8 %APPDATA%\{B14B87F0-9419-EA86-FF2F-CD5423FD306A}\SynHelper.exe 304,640 519a98004850bb8d671b37ad5a679531 395
9 %APPDATA%\{51FBCA03-C471-95E3-EEA4-70CE8949A24D}\pricefountainupdateverupdate.exe 274,944 b72c37b239dd2f4dad1f386b3a4b911e 385
10 %WINDIR%\system32\config\systemprofile\AppData\Roaming\{B9B945ED-24CB-0419-99B9-7B5BA171E83F}\WPDShextAutoplay.exe 396,032 20feb4e0a8e32043b17e21e9744a13d6 350
11 %APPDATA%\{6A98394A-0B2B-0A56-25B4-AF47E9810A94}\icardagt.exe 397,568 39462c44f21cfaae2d5b1754218f784a 340
12 %APPDATA%\{5F7A8D01-0C53-8D9C-514D-77B40E2F3EA9}\UpdateTask.exe 396,800 ef7c094275615af779d155a1e481683d 338
13 %APPDATA%\{52155399-0CAC-C1D6-31F0-7B8667476241}\SyncTask.exe 408,576 ab632e4d74f52279a7c1f880439f612b 264
14 %APPDATA%\{4BCF77F0-80E3-4C98-E6BE-33D7B8E78393}\syncversion.exe 371,200 ae68f524aa1db4871bda6613616d43c8 256
15 %APPDATA%\{081C35F3-6243-81A1-3A45-093C032C2E9A}\mountvol.exe 212,269 064de7c80f1e37a70ca7b6b72113f3a3 254
More files

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 10 + 15 ?