Here’s a new reason to fear ransomware more than ever before: a new variant of Cerber has been modified to steal Bitcoin wallets and passwords before encrypting victims’ files and demanding ransom.

Two ways to profit off of one infection

The new and improved Cerber searches for wallet files of three Bitcoin wallet applications (Bitcoin Core, Electrum, and Multibit wallets), sends them to the attackers’ C&C, and finally deletes them from the victim’s machine.

It also tries to steal the saved passwords from Internet Explorer, Google Chrome, and Mozilla Firefox.

Trend Micro researchers noted that the theft of the wallets does not mean for sure that the Bitcoins in them will be stolen, as the attacker would still have to know the password for accessing them. Still, they might find a way to guess it or steal it, while victims are dealing with getting their computer and files back.

Monetizing Cerber

Cerber is a piece of ransomware that has “earned” criminals huge amounts of money, but apparently that’s not nearly enough.

“This new feature shows that attackers are trying out new ways to monetize ransomware. Stealing the Bitcoins of targeted users would represent a valuable source of potential income,” the researchers noted.

The only thing that hasn’t changed is the infection method: Cerber is still delivered via email, i.e. it is downloaded by the Nemucod downloader Trojan attached in fake emails (see screenshot above).

Not opening attachments in emails from external or unverified sources is a good way to lower the risk of getting infected with this and other malware.