A new variant of the Cerber ransomware kills common database-related processes like those of the MySQL, Oracle and Microsoft SQL servers to encrypt files. The most notable change is the switch from the static .Cerber3 extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.
This update also includes the addition of new database processes that are closed by the
close_process directive in Cerber’s configuration. This directive tells Cerber to terminate certain processes before encryption begins. The current list of processes being terminated are:
These processes are closed in order to enable the processes’s data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.
When infected, a victim’s data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or ~$500 USD to get their files back. Unfortunately, at this point there is no known way to decrypt a victim’s encrypted files for free.
At this time we do not currently know how the Cerber ransomware is being distributed, but according to SenseCy, it is being offered as a service on a closed underground Russian forum. This means that it is probably a new Ransomware as a Service, or RaaS, where affiliates can join in order to distribute the ransomware, while the Cerber developers earn a commission from each ransom payment.
Furthermore, Cerber contains the ability to scan for and enumerate unmapped Windows shares and encrypt any data that is found on them. If the network setting is set to 1 in the configuration file, then Cerber will search for and encrypt any accessible network shares on your network, even if those shares are not mapped to the computer.