Now Cerber ransomware wants to steal your Bitcoin wallets and passwords too

One of the worst forms of ransomware has suddenly become even worse in an effort to make its malicious authors more money.
Written by Danny Palmer, Senior Writer

Cerber has risen to become the most dominant family of ransomware - and now it has new tricks.

Image: Malwarebytes

One of the worst types of ransomware has become even nastier, adding the ability to steal Bitcoin wallets and password information from you in addition to encrypting your files and demanding a ransom payment in order to get them back.

Cerber already dominates the ransomware market because not only are its creators constantly updating it and adding new features, such as the ability to evade detection by cybersecurity tools, they sell it 'as-a-service' to low-level hackers who want to make a quick buck from ransomware - with the authors taking a share of every single ransom payment.

To make things even worse, the ransomware uses very strong encryption and the ever-evolving nature of Cerber means there aren't any decryption tools available for the latest versions.

Not content with profits made by extorting victims with a family of ransomware which accounts for 90 percent of the market on Windows, those behind Cerber have added more strings to its bow in order to harvest even more from victims.

Now the latest incarnation of Cerber looks to steal cryptocurrency and passwords from victims, providing an additional means of profit on top of what's made from Bitcoin ransom demands between $300 and $600.

The method of delivery is the same - Cerber still attacks the victim via a malicious attachment in a phishing email - but now the exploit kit will look to perform other nefarious tasks before going through with the encryption process.


Phishing email attempting to deliver the Cerber payload.

Image: Trend Micro

Researchers at Trend Micro describe the process of the attack as "relatively simple" with Cerber targeting three Bitcoin wallet applications - the first-party Bitcoin Coin wallet and the third party Electrum and Multibit wallets.

A password is required in order to access the contents of the wallet, but Cerber also has this covered - it also tries to steal saved passwords from Internet Explorer, Google Chrome, and Mozilla Firefox.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Any saved password information for Bitcoin wallets detected is sent to the attackers via a command and control server, allowing the hackers to gain access to the crytocurrency content within.

To add insult to injury, Cerber also outright deletes the wallet files before going onto encrypt the system and demanding a ransom in exchange for returning the files.

"This new feature shows that attackers are trying out new ways to monetize ransomware. Stealing the Bitcoins of targeted users would represent a valuable source of potential income", said Trend Micro researchers Gilbert Sison and Janus Agcaoili.

Cerber isn't the first family of ransomware to steal data from victims - two previous examples are RAA ransomware infecting victims with data-stealing Pony Trojan malware and Merry Christmas ransomware being bundled with information stealing Diamond Fox malware - but it's worrying to see the most common form of file-locking malware adopt this technique.

While Cerber has added this new ability to its payload, the email phishing attack method remains the same, so educating users to be vigilant when it comes to mysterious attachments or unverified sources remains one of the best ways to avoid infection.

While the identity of the hacking gang behind Cerber remains a mystery, its continued evolution and development of the ransomware points to it being the work of a highly organised operation.

Researchers have previously noted that Cerber doesn't infect targets in former Soviet states, suggesting that it could potentially have a Russian origin.


Editorial standards