Cerber eclipsed all other ransomware over holiday season, says Microsoft

But Windows Defender claims to be fighting back.

Cerber eclipsed all other ransomware over holiday season, says Microsoft

Microsoft detected more enterprise PCs infected by Cerber than any other ransomware family over the 2016-17 holiday season.

Researchers at the Microsoft Malware Protection Center tracked 2,114 Cerber encounters on enterprise endpoints between 16 December 2016 and 15 January 2017. That number accounted for more than a quarter (26 percent) of ransomware infections the Redmond-based tech giant observed during that period. By comparison, Genasom, the second-highest crypto-locking threat, came in at just 1,109 infections - just 14 percent of the total ransomware attacks.

Wdatp cerber figure 1 ransomware encounters on enterprise endpoints

Ransomware encounters on enterprise endpoints. (Source: Microsoft)

Cerber, the "ransomware that speaks" which boasts a lucrative affiliate program, has certainly expanded its reach in recent months. But by no means is it unstoppable. You just have to know where to look.

Microsoft's malware researchers elaborate on this point in a blog post:

"Not only are there similarities between members of this well-distributed ransomware family, certain Cerber behaviors are common malware behaviors. Detecting these behaviors can help stop even newly distributed threats."

Microsoft incorporated that exact philosophy into its Windows Defender Advanced Threat Protection (ATP) service. It's not surprising that Microsoft then pitted its solution against Cerber to see what would happen.

Powershell iconIn one attack, a Cerber infection started when a user opened a document in the Downloads folder. This file triggered embedded macros, launching a PowerShell command that downloaded another component carrying the Cerber payload. Windows Defender ATP triggered an alert for that event.

Not only that, but Microsoft's product also fired off separate alerts for when Cerber's PowerShell script connected to a Tor website in order to download an executable, when the payload self-launched itself from inside the Users folder, and when Cerber attempted to delete the system's Shadow Volume Copies.

We all know that no anti-virus solution can deliver total protection. That's one of the reasons why some people in the industry are (wrongly) urging users to disable their anti-virus software. Microsoft's demonstration, however, proves that security products continue to get better.

The anti-virus industry is moving in the direction of AI that uses machine learning and behavior analytics to detect malicious behavior, not malicious code. This type of solution will better protect both users and enterprises against something like ransomware, which often alters its disguise in an effort to evade detection. All we need to do is be patient and wait for these types of solutions to begin rolling out.

In the meantime, users should make sure they've done all they can to prevent a ransomware infection. That includes updating their existing anti-virus solution, updating their systems on a regular basis, and - yes - maintaining a backup of their data.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Garth Newton

    February 3, 2017 at 7:17 am #

    Thanks David,
    Having just done battle with CERBER at home this week (All important data backed up and some miraculously untouched) I thought I'd mention something that hasn't been commented upon to date. My experience is that some files in application folders were also encrypted by CERBER, which caused some apps to behave erratically.
    This should not be a big issue because reinstalling the app should fix things. However, compounding the problem is that the data files associated with the uninstall process were often encrypted. This breaks the uninstall process.
    One solution I found was to reinstall the apps on top of the existing app, thereby replacing the encrypted data files, then proceeding with an uninstall to clean out all encrypted files in the folder and finally proceeding with a clean install of the app to get things back to normal.

  2. Jonathan Crowe

    February 8, 2017 at 1:58 pm #

    Hi David, thanks for head's up that other ransomware variants may finally be overtaking Locky. That said, I wonder how much the Necurs botnet downtime accounts for the drop-off, and whether, now that it's back up, Cerber is back to playing second fiddle.

    One note regarding this quote: "The anti-virus industry is moving in the direction of AI that uses machine learning and behavior analytics to detect malicious behavior, not malicious code…. All we need to do is be patient and wait for these types of solutions to begin rolling out."

    No need to be patient! Have you seen Barkly (https://www.barkly.com/)? It provides runtime malware defense that detects the first signs of malicious behavior and stops it before any harm can be done. Since it's analyzing system processes rather than file attributes it isn't reliant on signatures and doesn't get fooled by the tricks malware uses to sneak past AV.

    Let me know if you'd like to know more. Thanks again.

Leave a Reply