The author of the widely distributed Cerber ransomware has released a newer version, and files encrypted with Cerber2, unfortunately, can’t be decrypted without paying the ransom.
Several weeks ago, Trend Micro released a tool that can be used to decrypt files encrypted by a number of popular ransomware families and versions. Among these is the first version of Cerber (with certain limitations), but also CryptXXX, BadBlock, and TeslaCrypt.
But, as a Trend Micro researcher that goes by the online handle PanicAll recently discovered, the Cerber ransomware author must have looked at the Trend Micro tool’s code and found a way to foil it.
Files encrypted by Cerber2 get the .cerber2 extension, and the malware shows a new ransom message.
The encryption method has also changed: Cerber2 now uses the Microsoft API CryptGenRandom to generate the 32-bytes-long encryption key.
Finally, the new variant also uses a packer to make malware analysis more difficult.
The Trend Micro Ransomware File Decryptor tool has been updated on Friday, but unfortunately there is no solution yet for stumping Cerber2.
Users who have been hit can back up all their encrypted files and hope that one will be provided soon.