Malware encrypted fileIt's not unusual for brands to occasionally have to re-envision themselves. Apparently this applies to legitimate and illicit brands equally.

Recent campaigns have revealed that the developers of the Cerber Ransomware have made the daring move to remove superfluous vowels from their name, rebranding the ransomware as CRBR.

Even bolder is that this fashion makeover has had zero actual impact on their product. The source code is still the same (minus the letter 'e'). It's still the same ransomware, just in a slightly more chintzy package.

It is being distributed by the Magnitude Exploit Kit, and through emails that pretend to be from Microsoft's account security team. These fake emails pretend that the target's account had a suspicious sign-in, and directs them to an attached zip file for "further instructions." This file then executes JavaScript to download and run the ransomware and encrypt the victim's computer.

Like the original Cerber, files encrypted by CRBR will have their file names and extensions scrambled beyond readability.

Payment for decryption currently stands at .5 Bitcoin (~$1300), which increases to 1 Bitcoin (~$2600) after 5 days.

Unfortunately, Cerber/CRBR Encryptor still uses an encryption method that cannot be readily broken. For now, decryption of computers infected with the ransomware is impossible for free, paying the ransom is the only recourse.

To add protection against Cerber/CRBR Encryptor we recommend enabling the following targets:

  • Standard mode
    • TS Curated - Ransomware - IPs
    • TS Curated - Ransomware - Domains
  • Expert mode (included in the curated targets for standard mode)
    • TS Originated - Ransomware - IPs 
    • TS Originated - Ransomware - Domains 

If you do not have a ThreatSTOP account, Sign up to try a demo.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our Support team.