SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
What makes the Cerber ransomware so agile?
Tue, 9th May 2017
FYI, this story is more than a year old

The Cerber ransomware has been one of the most nimble, varied and dominant malware strains on the market — almost neck-and-neck with Locky.

A recent blog from Trend Micro analysed what makes the Cerber ransomware so fluid, and the answers may be more complex than first thought.

According to Trend Micro's Smart Protection Network, the US takes the brunt of infections, but Japan accounts for 4.63%; Australia for 2.53%; and China for 1.1%.

The blog says that the ransomware variations are evading even machine learning techniques as it stays one step ahead of the security companies trying to catch them.

Cerber has been on the scene for just over a year and made its name by being sold by cybercriminals as ransomware-as-a-service. The creators earn as much as 40% for every ransom paid by the victim.

But the biggest issue is that creators are constantly modifying the ransomware to make it appeal to potential buyers. Trend Micro says that servers morphed the Cerber ransomware every 15 seconds.

Trend Micro explains that spam emails, exploit kits and infections carry the bulk of Cerber ransomware. When a victim clicks a link or opens the message, the program will start background downloads and file encryption. It chooses selected folders and files, primarily those in shared networks and all machine drives.

While the ransomware has been going after Office 365 and other business programs, how do organisations protect themselves?

Trend Micro says that machine learning is a start, but the Cerber ransomware is evading even the most advanced file detection. It does this by breaking up its stages into files and running processes, which means it's very hard for security products to spot.

Trend Micro says that a proactive, multilayered security approach is a step in the right direction. Security should be monitoring serviceOKs and applications, as well as any unauthorised application requests and permission changes.