Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with the developers. In turn, the Cerber team does all the work on the back end to make it simple for their affiliates to distribute the malware and receive payments from victims, minus the overhead costs.
This update is significant. It expands the capabilities to not only targeted consumers, but now to businesses as well. This shift is the latest trend with the top ransomware families. Attackers have realized that though consumers may pay $300–$500 for their files, businesses will may much more. As most criminals do, they pursue the money.
The latest version of Cerber has made three important changes. The malware now alters the extensions of encrypted files to a random four characters. Previously it changed the extension of altered files to .cerber3. This adaptation makes it more difficult to scan for affected files. (For more on the extensions, read this McAfee Labs blog.)
Second, a new HTML executable file displays the ransom note and instructions in a window. It is cleaner, provides links, and is more professional looking. This may give victims more confidence that they are dealing with professionals and should expect to receive a key to unlock their files if they pay.
Finally, and most important, the malware now attempts to stop database processes running on the target system so it can encrypt the data. This is a significant shift in focus from consumers to businesses, which typically run databases containing important operational data. When database files are open and in use by software, they cannot easily be encrypted. Cerber attempts to close the database software so the files can be encrypted.
Security experts believe Cerber is based in Russia because it avoids systems configured in the Russian language. But it has the rest of the world to target, and it does well. Estimates vary, but profits appear to range from $1 million to $2.5 million per year. In August, Check Point Software and IntSights tracked 161 campaigns active with eight new ones launched every day. In July, they tracked 150,000 new system infections, with an average extortion demand of one Bitcoin.
Cerber in action
Cerber developers are pushing the next evolution of ransomware by going after database files. Admins, watch your database processes for unexpected stops. It might be an indication of Cerber ransomware trying to undermine file integrity. But that would be the wrong time to consider instituting good backups and applying good security practices.
The best strategic cybersecurity capability process includes elements to Predict, Prevent, Detect, and Respond to risks. This holds true for protection against ransomware. A solid data backup/restoration capability is important, as is quality antimalware to block attacks. Behavioral controls to educate users will reduce the biggest infection vector: people opening infected phishing emails. Rapid detection and sensors must be present to quickly raise the alarm for variants that cannot be stopped. Recovery teams with clear processes, tools, and backups must then get things back to normal. Ransomware is not easy to defeat, but the first step it to have a comprehensive plan and resources. Cerber and others will continue to evolve. Therefore, your security must be just as agile.
- http://blog.checkpoint.com/2016/08/16/cerberring/Opens in a new window
- http://www.zdnet.com/article/ransomware-as-a-service-for-allows-wannabe-hackers-to-cash-in-on-cyber-extortion/Opens in a new window
- http://www.pcworld.com/article/3127815/cerber-ransomware-kills-database-connections-to-access-important-data.htmlOpens in a new window
- http://virusguides.com/cerber-ransomware-updated-adds-random-file-extension/Opens in a new window
- https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/Opens in a new window
Image credit and a good write-up: http://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/