Cerber ransomware has acquired the reputation of being one of the most rapidly evolving ransomware families to date. Just in May, we pointed out how it had gone through six separate versions with various differences in its routines. Several months later and it seems to have evolved again, this time adding cryptocurrency theft to its routines. This is on top of its normal ransomware routines, giving the attackers two ways to profit off of one infection.Read More
Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every ransom paid by the victim. Coupled with persistence, Cerber turned into a cybercriminal goldmine that reportedly earned its developers $200,000 in commissions in a month alone last year.
Being lucrative and customizable for affiliates, it’s no wonder that Cerber spawned various iterations. Our coverage of unique Cerber samples—based on feedback from Smart Protection Network™—shows enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries.
A reflection of how far Cerber has come in the threat landscape—and how far it’ll go—is Cerber Version 6, the ransomware’s latest version we’ve uncovered and monitored since early April this year. It sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.Read More
CERBER is a ransomware family which has adopted a new technique to make itself harder to detect: it is now using a new loader which appears to be designed to evade detection by machine learning solutions. This loader is designed to hollow out a normal process where the code of CERBER is instead run.Read More
CERBER is a ransomware family that has seen its share of unusual features since its appearance early last year. From its use of audio warnings, to the targeting of cloud platforms and databases, to distribution via malvertising, emailed scripting files, and exploit kits, CERBER has always been willing to keep up with the times, as it was. One reason for its apparent popularity may be the fact that it is sold in the Russian underground, giving a wide variety of cybercriminals access to it.
However, we’ve started seeing CERBER variants (which we detect as RANSOM_CERBER.F117AK) add a new wrinkle to their behavior: they have gone out of their way to avoid encrypting security software. How did they do this?Read More
In early December, GoldenEye ransomware (detected by Trend Micro as RANSOM_GOLDENEYE.A) was observed targeting German-speaking users—particularly those belonging to the human resource department. GoldenEye, a relabeled version of the Petya (RANSOM_PETYA) and Mischa (RANSOM_MISCHA) ransomware combo, not only kept to the James Bond theme of its earlier iteration, but also its attack vector.
Given ransomware’s likely outlook to reach a plateau, persistence in the threat landscape and diversification of target victims are the names of the game. GoldenEye exemplifies bad guys trying to gain scale, leverage, and profit with rehashed malware.Read More