Ransomware hit hard in 2016, with big attacks, large payouts and many new strains developed to thwart security measures. At the end of last year, Locky and CERBER ransomware families seemed to be neck and neck for market dominance. But that changed as CERBER evolved to offer new capabilities to avoid detection. CERBER started 2017 with a 70 percent market share and rose to 90 percent at the end of the first quarter, Security Intelligence reported. In comparison, Locky only held a 2 percent share at the close of Q1 2017.
CERBER has shown success in evading security software, optimizing it for criminal activity. New CERBER variations are getting around machine learning tools, but Trend Micro is on the forefront to fix these issues. In fact, Trend Micro recently published a report showing the evolutions that CERBER has gone through thus far and how its solutions are advancing to maintain security. As CERBER continues to threaten organizations, it will be important to understand how to protect against new strains and what is being done to close current vulnerabilities.
How CERBER works
Like most other malware, CERBER is delivered through spam emails, exploit kits and other infections. When a receiver clicks the link or opens the message, the program will start covertly downloading in the background, encrypting files as it goes. However, CERBER is different from a lot of other ransomware varieties. It not only renames the extension and filename for the assets it targets; it also is selective in choosing the folders it infects, Microsoft noted. For example, CERBER will avoid system folders but will encrypt items in shared networks and all drives on the machine, precipitating the spread of the infection.
CERBER also regularly undergoes advancements in order to be sold to prospective cybercriminals as ransomware-as-a-service. These modifications make it difficult to identify where the strain will head next. In 2016, servers morphed CERBER every 15 seconds, generating a new hash every time. According to SecurityWeek, solutions need to detect these hashes to identify malware, but the pace of CERBER's morphing technique allowed it to avoid detection. This type of scheme was essential to keeping CERBER a mystery and releasing new variants that would be successful against security measures.
CERBER making bigger impacts
CERBER strains have already impacted millions of people and could make an even bigger splash in the future. According to InfoWorld, a phishing campaign led to millions of Office 365 users being targeted by ransomware. The attack lasted more than 24 hours until Microsoft began blocking the CERBER threat, but the damage was already done. Users who downloaded the attachment would have been infected if they did not delete the corrupted files right away. Trend Micro has a full guide to delete the infected files and secure your hardware. Its ability to bypass Office 365's built-in security tools was also particularly worrisome for many businesses.
"CERBER is packaging itself in a way that's designed to evade machine learning file detection."
New strain avoids machine learning tools
CERBER's interaction with Office 365 users was a clear wake-up call for organizations to step up their security measures and better educate employees on ransomware techniques. However, CERBER's reign didn't stop there and it's likely going to continue for some time as it makes more advancements. It will be important for businesses to implement advanced cybersecurity tools to deter these threats.
Many organizations are using machine learning to detect unknown malware and delivery methods as opposed to just relying on identified signatures of known threats. Machine learning has already enabled many organizations to identify and address issues faster than before. These capabilities are essential to reducing risk, mitigating damage and minimizing potential costs.
However, CERBER is staying ahead of these trends by packaging itself in a way that's designed to evade machine learning file detection. According to ZDNet, CERBER uses a self-extracting mechanism, making it seem legitimate, even to machine learning tools. Self-extracting files look similar in structure, and unpacked binaries may not appear malicious either.
The malware's different stages are separated into multiple files and injected into running processes, enabling CERBER to avoid detection. The ransomware also checks to see if it's running in a protected environment before injecting CERBER binary into normal operations. This way, the developer ensures that it will be difficult to analyze the code and the sample can continue infecting other users.
Protecting against CERBER
CERBER is clearly a dangerous threat to businesses and users. Organizations must take the necessary steps now to protect themselves from this threat and institute capable cybersecurity tools. Trend Micro suggested that a proactive, multilayered security approach will be more effective to guard everything from endpoints, networks, servers and gateways. Security tools should be monitoring service and application activity, unauthorized requests to run applications and changes to permission levels. Trend Micro's recently published report provides significant insight as to what security should be provided on every level. For example, organizations can use Trend Micro Smart Protection Suites for messaging and endpoint security, while Trend Micro Deep Discovery™ would be used to safeguard networks.
Leveraging data breach and security solutions from Trend Micro will help businesses detect abnormal activities as they happen and identify potential threats before they cause damage. Trend Micro is on the forefront to beating CERBER's game and providing a suite that protects company assets from the ransomware. For more information on how you can protect yourself against CERBER, contact Trend Micro today.