Cerber Ransomware Mutation Steals Bitcoin Wallets And Browser Passwords

Cyber crooks have found a new way to ruin a person's day with ransomware. Traditionally most ransomware encrypts a victim's storage device and then demands a ransom in order to unlock the files. Some of the nastier versions will put a time limit on receiving payment before the ransomware starts permanently deleting files. Now there is version making the rounds that not only encrypts a victim's files, it steals Bitcoin wallets as well.

The new variant of the Cerber ransomware takes a dual approach to extracting fund from a victim. It searches for one of three Bitcoin wallet applications, those being Bitcoin Core, Electrum, and Multibit. If it manages to find one, the ransomware sends it to the culprit's command and control servers and then deletes the wallet from the victim's PC. And on top of that, it will try to steal passwords from Internet Explorer, Chrome, and Firefox.


On the bright side, stealing a Bitcoin wallet does not necessarily mean the funds inside will be depleted. The attacker will still need to figure out the password in order to access the digital currency. However, if they somehow manage to guess the password or otherwise extract that information, they can empty the wallet. All of this takes place before any encryption is carried out.

"This new feature shows that attackers are trying out new ways to monetize ransomware. Stealing the Bitcoins of targeted users would represent a valuable source of potential income," security outfit Trend Micro notes.

All that said, the way Cerber infects a system still has not changed, and that means safe computing habits are still the best defense. That includes not opening attachments in email from unverified sources and not clicking on hyperlinks in email and chat. Trend Micro also recommends that system administrators consider email policies that strip out attachments entirely from external and/or unverified email accounts.

Ransomware will continue to be a major threat for the foreseeable future. Some of the newer variants are even able to spread to systems within a network in a worm-like fashion. In this case, Cerber had already gone through half a dozen upgrades as of last May, with new versions bringing about differences in its routine.

One thing that many ransomware variants have in common is the demand for payment in Bitcoin or other types of cryptocurrency. The anonymous nature of digital coin transactions makes them extremely difficult to track.