Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cerber Dominates Ransomware Charts

Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.

Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.

The threat accounted for 70% of the ransomware market in January, but increased its presence in February and March, amid a major decrease in Locky attacks, from 12% in January to less than 2% in March, Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report (PDF) reads.

While Locky has been fading away, new ransomware families such as Spora and Sage have managed to grab some market share. Cerber dominates all other threats in its category at the moment, and its market domination is on par with that of the now defunct TeslaCrypt during its most popular timeframe (the first half of 2016).

Over the past several months, Cerber’s operators used a broad range of available distribution methods, ranging from exploit kits to the recently patched Apache Struts 2 vulnerability. The Kovter click-fraud Trojan was observed dropping Cerber earlier this year, after Betabot was dropping it in September 2016.

Cerber’s authors were also focused on improving their creation with the addition of machine learning evasion capabilities, and with improved anti-sandboxing functionality. Recently, Cyphort researchers noticed that Cerber was leveraging process hollowing for infection, where a suspended process is created and the ransomware’s code is injected in it.

“Just like TeslaCrypt, Cerber has risen to the top of the ransomware market, leaving all competitors in its dust. Again, like TeslaCrypt, Cerber can just as easily become yesterday’s news. However, there are a few factors at play with Cerber that could make its future different than that of families like TeslaCrypt and Locky,” Malwarebytes Labs notes.

Cerber is available as a Ransomware as a Service (RaaS), meaning that it is readily available even for cybercriminals without coding knowledge, but who can get involved in the distribution operation. What’s more, the malware features military-grade encryption, offline encrypting, and various other features that makes it attractive for miscreants.

The malware landscape has seen other changes as well during the first quarter of the year, such as the emergence of new macOS malware and backdoors, including a new ransomware dubbed FindZip. Researchers also discovered the first macro malware targeting Macs.

The RIG exploit kit continues to dominate its threat segment and is expected to do so in the future as well, mainly because there are only a few active toolkits, meaning that there is little competition it has to face.

Numerous malicious spam campaigns observed in the first quarter abused password-protected Office documents, in an attempt to evade auto analysis sandboxes, Malwarebytes also notes. Recently, the Ursnif banking Trojan was observed using such documents in multiple campaigns worldwide.

Related: Researchers Dissect Potent “Locky Bart” Ransomware

Related: Spam Rises Amid Lower Exploit Kit Activity in 2016: Cisco

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.