Cerber Ransomware Now Hunts for Databases


Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with the developers. In turn, the Cerber team does all the work on the back end to make it simple for their affiliates to distribute the malware and receive payments from victims, minus the overhead costs.

This update is significant. It expands the capabilities to not only targeted consumers, but now to businesses as well. This shift is the latest trend with the top ransomware families. Attackers have realized that though consumers may pay $300–$500 for their files, businesses will may much more. As most criminals do, they pursue the money.

Three changes  

The latest version of Cerber has made three important changes. The malware now alters the extensions of encrypted files to a random four characters. Previously it changed the extension of altered files to .cerber3. This adaptation makes it more difficult to scan for affected files. (For more on the extensions, read this McAfee Labs blog.)

Second, a new HTML executable file displays the ransom note and instructions in a window. It is cleaner, provides links, and is more professional looking. This may give victims more confidence that they are dealing with professionals and should expect to receive a key to unlock their files if they pay.


Finally, and most important, the malware now attempts to stop database processes running on the target system so it can encrypt the data. This is a significant shift in focus from consumers to businesses, which typically run databases containing important operational data. When database files are open and in use by software, they cannot easily be encrypted. Cerber attempts to close the database software so the files can be encrypted.

Big business 

Security experts believe Cerber is based in Russia because it avoids systems configured in the Russian language. But it has the rest of the world to target, and it does well. Estimates vary, but profits appear to range from $1 million to $2.5 million per year. In August, Check Point Software and IntSights tracked 161 campaigns active with eight new ones launched every day. In July, they tracked 150,000 new system infections, with an average extortion demand of one Bitcoin.

Cerber in action

Cerber developers are pushing the next evolution of ransomware by going after database files. Admins, watch your database processes for unexpected stops. It might be an indication of Cerber ransomware trying to undermine file integrity. But that would be the wrong time to consider instituting good backups and applying good security practices.

The best strategic cybersecurity capability process includes elements to Predict, Prevent, Detect, and Respond to risks. This holds true for protection against ransomware. A solid data backup/restoration capability is important, as is quality antimalware to block attacks. Behavioral controls to educate users will reduce the biggest infection vector: people opening infected phishing emails. Rapid detection and sensors must be present to quickly raise the alarm for variants that cannot be stopped. Recovery teams with clear processes, tools, and backups must then get things back to normal. Ransomware is not easy to defeat, but the first step it to have a comprehensive plan and resources. Cerber and others will continue to evolve. Therefore, your security must be just as agile.


Image credit and a good write-up: http://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/

Video credit: http://www.securityspyware.com/cerber-ransomware-virus-removal-decrypt-random-extension/


Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedInOpens in a new window to hear insights and what is going on in cybersecurity.

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.


The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany