Cerber Accounts for a Quarter of Recent Ransomware Detections

Accounting for a quarter of all ransomware detections over the past 30 days, Cerber is strengthening its position at the top of the threat segment, data released by Microsoft this week reveals.

Because Cerber has become such a prevalent malware family, Microsoft has decided to include it in the July release of its Microsoft Malicious Software Removal Tool (MSRT), which complements the Cerber-specific family detections in Windows Defender and cloud-based protection features.

Cerber was observed in February and was first described in early March, when it stood out in the crowd because it dropped a VBScript onto the infected computers and caused them to “speak” to the victims. In May, researchers suggested that Cerber was leveraged in DDoS attacks, while revealing in early June that its operators were generating a new hash for it every 15 seconds.

Over the past couple of months, the ransomware was seen in numerous attacks, including distribution campaigns targeting mainly users in the United States, Turkey, and the United Kingdom. At the end of June, security firm Avanan revealed that Cerber was used in a massive attack against Office 365 customers, suggesting that millions of users might have been affected.

Now, Microsoft says that since February, Cerber has indeed seen numerous changes that allowed it to leave competition behind and become one of the most encountered ransomware families. Over the past 30 days, Cerber accounted for 25.97% of ransomware detections, almost the same percentage as the next two threats combined: Exxroute at 15.39% and Locky at 12.80%.

According to Microsoft, the threat is most prevalent in the United States, Asia, and Western Europe, but infections occur all around the globe. The company also explains that Cerber managed to spread to such extent mainly because it uses multiple distribution venues, including exploit kits, compromised websites, and spam emails.

The ransomware uses both macros and OLE objects for distribution via malicious documents in spam emails, but VisualBasic Script (VBS) and JavaScript are also used to download the Cerber payload from a command and control (C&C) server. As for exploit kits, Cerber was seen distributed via Neutrino, Angler, and Magnitude, but Angler is no longer a threat starting with the last month, when the EK landscape changed drammatically.

Cerber is only one of the ransomware families that has become a prevalent threat over the past months, with CryptXXX being another, recently spotted in a campaign that compromised thousands of WordPress and Joomla sites. Last month, researchers discovered that CryptXXX operators made $50,000 in under three weeks on a single Bitcoin address only.