Cerber ransomware has returned in the form of a new ransomware family that uses remote code execution vulnerabilities to attack Atlassian Confluence and GitLab systems. In 2016, as ransomware grew more prevalent, a new Cerber ransomware operation arose, and it swiftly became one of the most prolific gangs. However, its activity gradually decreased until it vanished at the end of 2019.
Cerber, a ransomware that began infecting victims globally with both a Windows and Linux encryptor, raised its ugly head once more. Cerber’s latest version adds the .locked extension to encrypted files and creates ransom notes named _$$RECOVERY_README$$_.html. The new Cerber ransomware group seeks ransoms anywhere between $1,000 to $3,000 from the victims.
Fabian Wosar, CTO of Emsisoft and a ransomware expert, evaluated the new strain and concluded that it did not match the coding of the previous family. The latest version, in particular, makes use of the Crypto+++ library, whereas the previous version relied on Windows CryptoAPI libraries.
These discrepancies in code and the fact that the original Cerber did not include a Linux variant led to the assumption that a new threat actor has taken on the name, ransom letter, and Tor payment site, and is not the actual operation.
According to security experts and vendors, the new Cerber ransomware operation has attacked servers exploiting remote code execution flaws in Atlassian Confluence and GitLab. BoanBird, a security researcher, published a sample of the new Cerber ransomware, which demonstrates that this new strain targets certain Atlassian Confluence folders specifically:
C:\Program Files\Atlassian\Application Data
C:\Program Files\Atlassian\Application Data\Confluence
C:\Program Files\Atlassian\Application Data\Confluence\backups
As per a study issued this week by Tencent researchers, attacks using the new Cerber ransomware mainly target the United States, Germany, and China. Even though the previous version of Cerber claimed to exclude targets in the Commonwealth of Independent States (CIS), Tencent’s telemetry data from recent attacks proves otherwise. Multiple victims have also been reported in Russia, demonstrating that these threat actors are not selective in who they target.
Applying the latest security patches for Atlassian Confluence and GitLab is the best way to guard against Cerber at this time. As more servers are fixed, we should anticipate threat actors to turn their attention to additional vulnerabilities.