There is a new strain of ransomware called Cerber that takes creepiness to the next level.
It drops three files on the victim’s desktop named “# DECRYPT MY FILES #.” These files contain instructions about the ransom amount and how to pay it. One of the files is your standard TXT format, one is HTML and the third is plain weird. It contains a Visual Basic Script, which contains text-to-speech code that converts text into an audio message.
“When the above script is executed, your computer will speak a message stating that your computer’s files were encrypted and will repeat itself numerous times,” Larry Abrams from Bleepingcomputer said in a blog post. They have a sample in that post you can listen to.
Cerber’s criminal developers are selling the tool as Ransomware-as-a-Service (RaaS) so that practically anyone can use it without any coding experience. It is easy to find out where this new strain originated. When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan.
Yup, that was easy. Another Eastern European cyber gang with another strain.