A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When I tested this new sample, there was some minor outward differences between this version and the previous version.
The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below.
Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url.
This version of Cerber continues to use the 31.184.234.0/23 range of IP addresses for stats purposes. Strangely, when testing this version I did not see the typical UDP flood for stats purposes. I did see ICMP packets being sent to IP addresses in this range
Update 8/31/16: I updated the article about the stats ranges.
As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article.
Comments
mark_owen_21 - 7 years ago
Good day Sir Lawrence Abrams, i am infected with kind of Malware is there any update on how to DECRYPT this .CERBER3 or do you a DECRYPTER TOOLS for this please?? i need your help so desperately.. thank you very much in advance...
Lawrence Abrams - 7 years ago
I wish I could help, but at this time there is no way to decrypt files encrypted by cerber for free.
rafaelferreira - 7 years ago
and there is a paid program to decrypt ???
linh0189 - 7 years ago
https://www.youtube.com/watch?v=uW0FGgypbn8
linh0189 - 7 years ago
I did not know there was not decoded
Lawrence Abrams - 7 years ago
From what I am reading this does not work. Do you have a download link to this supposed decryptor?
Sintharius - 7 years ago
Lawrence, from what I was able to read from the video this is just the decrypter minus the key. Victim still have to pay for decryption key in order to get their files back.
alofun - 7 years ago
Video Decrypt Cerber3
https://www.youtube.com/watch?v=3NuLYoUcSbE&list=PL5RREv-HKeV7peP9GMdKCCNvKIa4i1LXC&index=5
Sintharius - 7 years ago
This is just the decrypter, you still need to buy the key. And I can read the language, so unless there is a good explanation for this then don't bother.
Freakinghackers - 7 years ago
Kay guys, i don't know if you might find this info of any use, long long story short..Got screwed....spent hours reading articles.....found this site ......(still working on cleaning my Laptop) .....anyway....what just happened i sorted my encrypted files by size...(a folder i use to store short videos and text....i found a file of a 20MB, i knew this must be a video file....Right click...rename and changed the name of the file Blabla.808f to Blabla.mp4......and it worked and got it back and i played the file normally. except for the name of the file of course. so i tried this with others files (jpg) file and i got it back.
hope you guys find this useful maybe you can work on a solution.
regards
A very Sad person who just lost part of his digi-memory