Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cerber Accounts for a Quarter of Recent Ransomware Detections

Accounting for a quarter of all ransomware detections over the past 30 days, Cerber is strengthening its position at the top of the threat segment, data released by Microsoft this week reveals.

Accounting for a quarter of all ransomware detections over the past 30 days, Cerber is strengthening its position at the top of the threat segment, data released by Microsoft this week reveals.

Because Cerber has become such a prevalent malware family, Microsoft has decided to include it in the July release of its Microsoft Malicious Software Removal Tool (MSRT), which complements the Cerber-specific family detections in Windows Defender and cloud-based protection features.

Cerber was observed in February and was first described in early March, when it stood out in the crowd because it dropped a VBScript onto the infected computers and caused them to “speak” to the victims. In May, researchers suggested that Cerber was leveraged in DDoS attacks, while revealing in early June that its operators were generating a new hash for it every 15 seconds.

Over the past couple of months, the ransomware was seen in numerous attacks, including distribution campaigns targeting mainly users in the United States, Turkey, and the United Kingdom. At the end of June, security firm Avanan revealed that Cerber was used in a massive attack against Office 365 customers, suggesting that millions of users might have been affected.

Now, Microsoft says that since February, Cerber has indeed seen numerous changes that allowed it to leave competition behind and become one of the most encountered ransomware families. Over the past 30 days, Cerber accounted for 25.97% of ransomware detections, almost the same percentage as the next two threats combined: Exxroute at 15.39% and Locky at 12.80%.

According to Microsoft, the threat is most prevalent in the United States, Asia, and Western Europe, but infections occur all around the globe. The company also explains that Cerber managed to spread to such extent mainly because it uses multiple distribution venues, including exploit kits, compromised websites, and spam emails.

The ransomware uses both macros and OLE objects for distribution via malicious documents in spam emails, but VisualBasic Script (VBS) and JavaScript are also used to download the Cerber payload from a command and control (C&C) server. As for exploit kits, Cerber was seen distributed via Neutrino, Angler, and Magnitude, but Angler is no longer a threat starting with the last month, when the EK landscape changed drammatically.

Cerber is only one of the ransomware families that has become a prevalent threat over the past months, with CryptXXX being another, recently spotted in a campaign that compromised thousands of WordPress and Joomla sites. Last month, researchers discovered that CryptXXX operators made $50,000 in under three weeks on a single Bitcoin address only.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.