It steals files from three different Bitcoin applications. In addition, Cerber has now set aside the passwords of the Bitcoin wallet, which are stored in browsers Internet Explorer, Chrome, and Firefox. Only then does the Ransomware start to encrypt files.
Trend Micro warns against a new variant of the Ransomware Cerber. It is no longer content only to encrypt files and to extort a ransom for their release. The back men are now also behind the Bitcoin purse of their victims.
The files “wallet.dat” (Bitcoin Core), “* .wallet” (multibit) and “electrum.dat” (Electrum) are transferred to a command server on the Internet. Since the theft of these files alone is not sufficient for access to a Bitcoin wallet, the hackers also have the required users and passwords. They hope to find hackers in the browsers Internet Explorer, Google Chrome or Mozilla Firefox. Additionally, Cerber deletes the Wallet files as soon as they are passed to their own servers.
“The new feature shows that the attackers are testing new ways to monetize Ransomware,” says Trend Micro’s blog. “The theft of Bitcoins from attacked users would be a source of possible revenue.”
Trend Micro also points out that at least the attacks on the Electrum wallet should show little success. The app does not use the file name “electrum.dat” since 2013.
Cerber has been in circulation since at least the beginning of 2016. At the time, it was the first “talking” ransomware. She presented her ransom claim by voice, rather than a picture. Initially Cerber was spread over malvertising campaigns.