Cerber Ransomware Mutates To Steal Bitcoin Wallets

Trend Micro discovered a new variant of the Cerber ransomware designed to steal Bitcoin wallets from its victims. The attackers won't necessarily be able to empty those wallets, at least as long as they're protected by strong passwords.

Cerber has been around for a while. It was discovered in March 2016, and Trend Micro said in May that it had already gone through six different versions since it was revealed to the public. This new version of the ransomware seems to work just like its predecessors: A malicious file is attached to an email, an unwitting victim is tricked into downloading that file, and then Cerber is able to steal and encrypt the victim's data.

The difference, according to Trend Micro, is Cerber's target. Previous versions of the ransomware encrypted information so it could be held for ransom, which was often paid in Bitcoin, largely because it can be harder to trace than other forms of payment. This new version cuts out the middleman by stealing the wallet files used by Bitcoin Core, Multibit, and outdated versions of Electrum. And that's not all. Trend Micro said:

This isn’t the only information stolen by this new Cerber variant. It also tries to steal the saved passwords from Internet Explorer, Google Chrome, and Mozilla Firefox. Note that this information theft takes place before any encryption is carried out. Saved passwords and any Bitcoin wallet information found are sent to the attackers via the command-and-control servers. It also deletes the wallet files once they have been sent to the servers, adding to the injury of the victims.

Cerber still encrypts information on target devices, too, which means its operators can still hold that data for ransom. Now, though, they can also empty Bitcoin wallets directly, provided they're able to learn the password used to secure them. Grabbing passwords saved by Internet Explorer, Chrome, and Firefox could make that task easier, given how likely people are to repeat passwords or at least stick to a common "formula."

This new version of Cerber is timed well. Interest in cryptocurrencies like Bitcoin has been rising—which is why graphics cards have gotten so expensive—and newcomers might not properly defend their wallets. Cerber's also riding on the coattails of other ransomware (or at least "ransomware") campaigns, and all the fear, uncertainty, and doubt surrounding the threat could make people more willing to pay the ransom.

All of that is the bad news. The good news is that Cerber spreads the same way it did before, so if you avoid downloading attachments from suspicious emails, you should be in the clear. Following best practices like relying on unique passwords and using password managers instead of relying on a browser's built-in password features will also help make sure your Bitcoin wallet can't be cleared out even if the files are stolen.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • bit_user
    Please don't use the term "mutate" to describe computer viruses. This is technically inaccurate, and just fosters misunderstanding of viruses and malware among the public.

    Mutation implies evolution and some degree of autonomy. So far, all known computer viruses (at least those which pose any real threat) are specifically designed (by criminals) to carry out a set of predetermined tasks and activities.
    Reply