With a different design and improved distribution tactics, the new Red Cerber ransomware has been reborn and is ready to take down as many computers it can. The virus now spreads as a javascript dropper file which might arrive into the potential victim’s inbox compressed in .zip or .rar archive. The malicious file itself is mostly delivered under a random file name and features a .js extension at the end. Talking about extensions of the encrypted files, these are (again) different from the previous Cerber versions. Now the virus adds four-character extensions that are generated from random letters and characters. Needless to say, files marked with such extensions become inaccessible because they are encrypted with military-grade RSA-512 and RC4 ciphers. To explain how these files can be retrieved, Red Cerber developers have designed the virus to drop _README_.hta file on every infected folder automatically and change the desktop picture with an image of the typical Cerber ransom note. The only thing that is different is the note’s background color. You have probably already guessed it — it is now red.
Interestingly enough, Red Cerber does not delete Volume Shadow Copies of the encrypted files anymore, so the victims may try to recover their data for free, using these Windows backup copies of the files. The experts are not sure whether this was a programming flaw that the virus developers have overlooked by accident or was it a purposeful and conscious decision. Either way, such weakness increases virus vulnerability and significantly diminishes the expected financial outcome. Thus it is likely that a new Cerber version is already on its way. If you are not infected yet — it is high time you started taking the necessary precautions to increase the security of your device and safety of your data.