Cerber Ransomware Updated Not to Delete Shadow Volume Copies But Office Docs

Cerber ransomware is yet again in news and this time for a specific reason. The newly identified and the recent versions of this ransomware behaves somewhat different from the previous one. The biggest change in the recently detected version of Cerber Ransomware is that it does not delete the shadow volume copies, instead, it is targeting and prioritizing specific folders only. This change has been spotted only in the recent version but it does not mean that shadow volume won’t be targeted in the future version. This discovery mainly comes via the Microsoft Malware Protection Center along with the Heimdal Security.

What are the changes in the recent version of Cerber Ransomware?

The recent variants of ransomware have started to prioritize the certain folders to the encryption routines. The other changes are that the list of the exempt folders has grown. It has updated the list of files for the encryption. According to the Microsoft, recent version of Cerber Ransomware cannot encrypt anymore some types of files including .cmd, .com, .dll, .cpl, .msc, .hta, .exe, .msi, .pif, .msp, .scr, .scf, sys etc. On despite the removal of some file extension, it has added 50 other file extension to bring up the Ransomware’s total to whooping 493 extensions.

Beside these updates, Cerber Ransomware is the same as before still the undecryptable. According to the depth analysis by Microsoft, it has been reported that the screen of ransom has changed because now it uses a red background highlight instead of the green.


Dissemination Strategies Used By The Recent Variants of Cerber Ransomware

According to the report of Heimdal, the crew of Cerber Ransomware uses compromised sites to attacks on the user’s Windows PC. The hacked sites are a part of the Psudo Darkleech campaign which uses a specific type of scripts on the compromised websites to redirect users into the exploit kits to infect the host with Nemucod malware which is regarded as a generic first-stage downloader.

Another distribution of Cerber Ransomware is reported by the Microsoft Malware Protection Center that is through leverages exploit kits. According to the crew of Microsoft, the gang of this ransomware uses the RIG exploit kit to take an advantage of CVE-20145-8651 vulnerability into the bun patched installations of Adobe Flash Player.

Besides these two distribution campaigns, it also spread via spam email. The crew of Cerber Ransomware uses the fake credit card reports to lure System users into downloading and the opening of any suspicious mail. The attachments come protected by s strong password. The file attachments usually receive users via Spam-emails which asks the user to allows the execution of a malicious macro script. If you allowed executing, the macro script downloads and installs Cerber Ransomware. According to the Microsoft, the campaign of Cerber Ransomware has seen a huge rise in numbers during the past few days.


Thus, it is advised by an expert that you need to be very attentive and kept an eye on the ransomware families. Getting the clues about its author, coding style, updating features and all the possible hints toward this can make you easily to decrypt your files and to stay away from such an infection.

Posted in Latest News. Tagged with , , .

Leave a Reply

Your email address will not be published. Required fields are marked *