Ransomware variants continue to emerge as security vendors attempt to keep pace of developments.


During Thanksgiving holidays, Cerber and Locky, the two most popular ransomwares out there, have launched new variants to the wild simultaneously. The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected.

CERBER 5.0 Uses New IP Ranges — The actors behind Cerber, like other actors in the ransomware industry, innovate on a daily basis. Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.

LOCKY — The ever changing Locky ransomware has just released a new variant which implements new evasion techniques and adjusted ransom tariff. Locky is known for being downloaded as a dll file using JavaScript based downloader. Although the new variant acts just the same, the JavaScript downloader pulls disguised .TDB file which turns to be a PE file. Locky‚Äôs threat actor probably wishes to evade security products that sign the already known infection chain