Cerber Ransomware Aims to Steal Bitcoin Wallet Information

Existing ransomware strains often see their fair share of updates along the way. Some developers would rather keep their existing creations alive rather than develop a new project from scratch. Cerber is currently one of the best-known types of ransomware and is more than capable of causing havoc. It now appears that its updated version can steal Bitcoin wallet data as well as passwords stored in the browser.

Cerber Updates Cause More Problems for Computer Users

As if ransomware itself was not annoying enough to deal with, the Cerber developers have decided to take things to a whole new level. Their malware can now collect and steal data from infected computers alongside its traditional file encryption features. A further investigation unveiled how Cerber is after browser passwords and Bitcoin wallet data, a very strange tactic indeed. Emptying a victim’s Bitcoin wallet and still demanding a BTC payment for the ransomware would seem to be mutually exclusive.

The fact that ransomware is capable of stealing information from the computer files it encrypts is not surprising. These malware tools successfully check the contents of all files, and keeping a copy of anything relevant makes a lot of sense. However, it is rather uncommon to see this type of malware going after passwords stored in browsers. Cerber can obtain passwords from Internet Explorer, Google Chrome, and Mozilla Firefox alike. A lot of people will not be too pleased with this development.

Furthermore, the new Cerber update ensures that the ransomware will search for data files related to three major Bitcoin wallet applications. This includes data stored by the Bitcoin Core wallet, as well as Multibit and Electrum. Anyone using any of these three wallets on their computer may want to ensure they have a copy of their wallet information at all times. It may be safer to move coins to hardware wallets altogether, as they remain impervious to ransomware attacks for the time being.

Not all of the files of interest to Cerber store passwords for the associated Bitcoin wallets. In fact, Electrum has not used an electrum.dat file to store wallet information since 2013. It appears Cerber has made a halfhearted attempt to take advantage of novice Bitcoin users who may be running much older installations of Bitcoin wallet software. It is also certainly possible that the ransomware developers simply copied these features from another tool looking to steal Bitcoin wallet data.

Most ransomware developers are constantly looking for new ways to steal even more money. Since the majority of victims will never pay the ransom demand in the first place, stealing login credentials and Bitcoin wallet information may be a viable option — assuming the code implemented actually makes sense.

Cerber is not the first malware to make use of infostealer features. This trend dates back all the way to April of 2015, and multiple versions of popular ransomware have tried to obtain information over the years. CryptXXX was the first to implement Bitcoin wallet stealing features, although it is still unknown whether or not those efforts were successful in the end. This development provides just another example of why Bitcoin users should be well aware of the risks out there and take the necessary precautions. Hardware wallets are a secure storage option which may be worth exploring.