Ransomware has become an increasingly threatening force facing users and enterprises. The so-called ransomware-as-a-service (RaaS) model, meanwhile, has made distribution even more rampant.
Ransomware has become an increasingly threatening force facing users and enterprises. A recent incident involving
attackers holding an Austrian hotel hostage by encrypting its cardkey-making system until a ransom is paid underscores the havoc ransomware can wreak. The so-called ransomware-as-a-service (RaaS) model, meanwhile, has made distribution even more rampant.
One type of ransomware that has gained notoriety through this model is Cerber. In its “Cybercrime Tactics and Techniques Q1 2017” report, Malwarebytes identified Cerber as the No. 1 ransomware by market share during the first three months. “We took a deeper look at just Q1 2017 ransomware family distribution and found Cerber started off the year with a 70 percent market share and approached 90 percent toward the end of the quarter,” the report said.
There are several reasons that contributed to Cerber’s wide spread. For one, it’s able to evade various advanced anti-virus software. “The security vendor Trend Micro recently released its analysis of a new Cerber variant that not only attempts to evade antivirus solutions that employ machine learning, but also detects if the malware is executing within a sandbox or virtual machine,” the report said. “Basically, this version of Cerber is distributed via phishing emails. These emails include a link to a Dropbox folder to download a self-extracting archive file that has three files inside, each one individually not very dangerous, but designed to work together to execute Cerber functionality.”
But more importantly, Cerber’s rise has to do with its ransomware-as-a-service status, a model in which all involved in its distribution get a share of the profit, in this case the ransom paid. “Its spread is largely because the creators have made it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report said. “Once the ransomware is purchased, options exist from other parts of the cybercrime marketplace that will distribute the malware through numerous means, ensuring the greatest amount of infection. Once infection and payment occur, the criminals who franchised the ransomware get paid, but the Cerber developers also get a cut of the ransom. You might recognize this process as being akin to an affiliate program used by advertisers.”
It should be noted that currently, Cerber is not decryptable. Once infected the user may recover portions of the encrypted files before the attack, remove the ransomware and risk doing damage to the affected files, or just pay the ransom. That’s why prevention is important.
According to the web portal sophos.com, users can prevent ransomware attacks by doing the following: backing up files regularly, enabling file extensions, opening JavaScript (.js) files in Notepad, refrain from enabling macros in document attachments received via email, exercising caution when receiving unsolicited attachments, running security patches often, and staying up-to-date with new security features in one’s business applications.