<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/skully%20file.png" alt="Malware encrypted file" style="width: 455px; display: block; margin-left: auto; margin-right: auto;" title="Malware encrypted file" caption="false" data-constrained="true" width="455">It's not unusual for brands to occasionally have to re-envision themselves. Apparently this applies to legitimate and illicit brands equally.</p> <!--more--> <p>Recent campaigns have revealed that the developers of the Cerber Ransomware have made the daring move to remove superfluous vowels from their name, rebranding the ransomware as CRBR.</p> <p>Even bolder is that this fashion makeover has had zero actual impact on their product. The source code is still the same (minus the letter 'e'). It's still the same ransomware, just in a slightly more chintzy package.</p> <p>It is <a href="https://zerophagemalware.com/2017/06/28/magnitude-ek-drops-cbrb-cerber-ransomware/">being distributed</a> by the <a href="/magnitude-ek-whats-shakin" target="_blank">Magnitude Exploit Kit</a>, and through emails that <a href="https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/">pretend to be from Microsoft's account security team</a>. These fake emails pretend that the target's account had a suspicious sign-in, and directs them to an attached zip file for "further instructions." This file then executes JavaScript to download and run the ransomware and encrypt the victim's computer.</p> <p>Like the original Cerber, files encrypted by <strong>CRBR</strong> will have their file names and extensions scrambled beyond readability.</p> <p>Payment for decryption currently stands at .5 Bitcoin (~$1300), which increases to 1 Bitcoin (~$2600) after 5 days.</p> <p>Unfortunately, <strong>Cerber</strong>/<strong>CRBR</strong> <strong>Encryptor</strong> still uses an encryption method that cannot be readily broken. For now, decryption of computers infected with the ransomware is impossible for free, paying the ransom is the only recourse.</p> <p>To add protection against<span>&nbsp;<strong>Cerber/CRBR Encryptor</strong>&nbsp;</span>we recommend enabling the following targets:</p> <ul> <li>Standard mode <ul> <li>TS Curated - Ransomware - IPs</li> <li>TS Curated - Ransomware - Domains</li> </ul> </li> <li>Expert mode&nbsp;<span>(included in the curated targets for standard mode)</span> <ul> <li>TS Originated - Ransomware - IPs&nbsp;</li> <li>TS Originated - Ransomware - Domains&nbsp;</li> </ul> </li> </ul> <p>If you do not have a ThreatSTOP account,&nbsp;<span>&nbsp;</span>to try a demo.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy" target="_blank">DNS</a><span>&nbsp;</span>or<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall" target="_blank">IP</a><span>&nbsp;</span>Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our&nbsp;<span>&nbsp;</span>team.</p></span>