Cerber ransomware has received a disturbing new variant that allows it to go after bitcoin. Security analysts from Trend Micro reported that the malware has historically been a rapidly mutating strain, having gone through six different versions since it has been on the radar.

According to a recent Malwarebytes report, “Cybercrime Tactics and Techniques Q1 2017,” Cerber ransomware already accounts for nearly 90 percent of the Windows sector. The latest variant adds a different type of attack to the standard ransomware functions it contains, for which there is no decryptor available. It now attempts to steal information about cryptocurrency wallets that may be present on the target machines.

Cerber Ransomware Steals Wallet Files

Cerber attempts to grab three different kinds of files: wallet.dat, which is used for bitcoin; *.wallet, used for Multibit; and electrum.dat, an obsolete wallet used by Electrum. However, the threat actor will not be able to breach the wallets by snaffling the files alone — he or she must also obtain the passwords that protect them. Since Cerber is not able to obtain such passwords, the actor must gain access through other forms of attack.

Bleeping Computer noted that because of this password limitation, the Cerber crew might have just copy/pasted the wallet-stealing code from another project without actually knowing how well it works in practice.

This Cerber variant will, however, delete the wallet information once it has been exfiltrated to the ransomware’s command-and-control (C&C) server. Trend Micro researchers believed that this new attempt is simple at its core, saying that the “attackers are trying out new ways to monetize ransomware.”

Password Theft

The new Cerber variant doesn’t stop there in its malicious activities. It also tries to steal users’ saved passwords from Internet Explorer, Google Chrome and Mozilla Firefox. Such information could be useful in hijacking online user accounts. The researchers noted that this theft will take place before any encryption is carried out by the ransomware.

Mitigation against this data breach remains the same as for other ransomware variants. Since it spreads through attachments to emails, opening unknown attachments should be heavily discouraged. Trend Micro also suggested that system administrators consider proactive email policies that will strip out such attachments from incoming emails.