Trend Micro researchers spotted several exploit kits delivering Cerber 4.0 ransomware just a month after the release of version 3.

The upgraded malware includes a shift in the ransom note's formation from html to .hta and the authors are now generating a random string as the new file extension for each infection, according to an Oct. 12 blog post.

Researchers also spotted three malvertising campaigns and a compromised site delivering the ransomware.

The campaigns included a continuously changing campaign named PseudoDarkleech which mostly delivers ransomware through compromised sites, a campaign that employs the Magnitude exploit kit and targets countries in Asia, a campaign which typically employs a casino-themed fake advertisement, and a campaign that distributs malware in the US, Germany, Spain, Taiwan and Korea.

Researchers recommend users keep three copies of their data, two on two separate devices and one stored in a secure location to mitigate tactics.