Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.
The threat accounted for 70% of the ransomware market in January, but increased its presence in February and March, amid a major decrease in Locky attacks, from 12% in January to less than 2% in March, Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report (PDF) reads.
While Locky has been fading away, new ransomware families such as Spora and Sage have managed to grab some market share. Cerber dominates all other threats in its category at the moment, and its market domination is on par with that of the now defunct TeslaCrypt during its most popular timeframe (the first half of 2016).
Over the past several months, Cerber’s operators used a broad range of available distribution methods, ranging from exploit kits to the recently patched Apache Struts 2 vulnerability. The Kovter click-fraud Trojan was observed dropping Cerber earlier this year, after Betabot was dropping it in September 2016.
Cerber’s authors were also focused on improving their creation with the addition of machine learning evasion capabilities, and with improved anti-sandboxing functionality. Recently, Cyphort researchers noticed that Cerber was leveraging process hollowing for infection, where a suspended process is created and the ransomware’s code is injected in it.
“Just like TeslaCrypt, Cerber has risen to the top of the ransomware market, leaving all competitors in its dust. Again, like TeslaCrypt, Cerber can just as easily become yesterday’s news. However, there are a few factors at play with Cerber that could make its future different than that of families like TeslaCrypt and Locky,” Malwarebytes Labs notes.
Cerber is available as a Ransomware as a Service (RaaS), meaning that it is readily available even for cybercriminals without coding knowledge, but who can get involved in the distribution operation. What’s more, the malware features military-grade encryption, offline encrypting, and various other features that makes it attractive for miscreants.
The malware landscape has seen other changes as well during the first quarter of the year, such as the emergence of new macOS malware and backdoors, including a new ransomware dubbed FindZip. Researchers also discovered the first macro malware targeting Macs.
The RIG exploit kit continues to dominate its threat segment and is expected to do so in the future as well, mainly because there are only a few active toolkits, meaning that there is little competition it has to face.
Numerous malicious spam campaigns observed in the first quarter abused password-protected Office documents, in an attempt to evade auto analysis sandboxes, Malwarebytes also notes. Recently, the Ursnif banking Trojan was observed using such documents in multiple campaigns worldwide.