Check Point tracks two waves of Cerber ransomware hitting US, UK

The two spikes took place in between 4-18 April and then again between 17-30 May.
The two spikes took place in between 4-18 April and then again between 17-30 May.

A team of Check Point researchers has tracked two large waves of attacks using Cerber ransomware in the last few months, with more spikes in the number of incidents expected.

While Cerber has been steadily used since earlier this year, two spikes took place between 4-18 April and again between 17-30 May, Check Point reported. 

In each case the majority of attacks hit targets in the United States, 41 percent; Turkey, 15 percent; and the UK, nine percent. Seven other nations also experienced an uptick in the number of attacks during these two periods, but at a much lower rate.

"We have no doubt that we will continue to see spikes in Cerber's activity," the report stated.

Check Point estimates the number of attacks that have taken place is about 600.

The research firm also detailed its reasoning behind why the attacks took place in waves.

“It allows the attackers to control their operation closely for a short period of time, without the need for constant management, which can require large resources,” said Gadi Naveh, a threat prevention researcher with Check Point to SCMagazine.com via email.

"Second, striking in waves enables the attackers to make necessary code changes, improving their malware and evasion techniques between bursts. Since static security solutions focus on signatures of the malware, attackers can morph their malware until it is unrecognised by these signatures, rendering them useless. Lastly, this pattern can also be caused by changes in the distribution infrastructure."

One change that does coincide with these events is that Cerber has recently been spotted being advertised as ransomware as a service on several Russian dark web forums.