Last spring, Malwarebytes researchers reported that the encryptor Cerber managed to capture the leadership in the black market, and this was largely due to the transition of the malware to the RaaS (Ransomware-as-a-Service) model and the regular appearance of new versions. For example, this year the small town has learned to hide its presence from antivirus products, including those that use machine learning to identify threats.
According to the report Malwarebytes, in the first quarter of 2017, Cerber owned 90% of the cipher market, and this indicator is very close to the absolute record of TeslaCrypt, established in May 2016.
Now, experts from Trend Micro reported the appearance of a new version of Cerber, which not only encrypts victim files and extorts $ 300-600 in redemption from victims, but also abducts crypto and passwords from purses.
The researchers write that Cerber still spreads through malicious email attachments, but now the extortionist does not immediately begin encrypting files on the infected machine. Initially, the small business searches for the signs of the Bitcoin Core, Electrum and Multibit currency wagons and, if successful, steals application-related files wallet.dat (Bitcoin), * .wallet (Multibit), and electrum.dat (Electrum).

These files by themselves will not allow criminals to steal someone else’s crypto currency, they will also need a password to access the wallet. Moreover, experts note that Electrum does not use electrum.dat from 2013. But in addition to data on purses Cerber also steals saved passwords from Internet Explorer, Google Chrome and Mozilla Firefox.
Sending information about crypto-currency wallets and stolen passwords to the server of cybercriminals, Cerber removes all files associated with wallets from the infected computer and then proceeds to the usual process of data encryption.
Trend Micro analysts note that the Malvari authors are obviously looking for new ways to monetize their “product”, and it’s no surprise that they turned their attention to crypto currency.


Leave a Reply

Your email address will not be published. Required fields are marked *