Holding hostage essential database files is believed to be an attempt to maximise earnings for the miscreants behind this latest iteration, said Mary Yanbao and Francis Antazo, threat response engineers at Trend Micro and co-authors of the report.
Cerber ransomware, a service offered on Russian underground web markets to entry-level cyber thieves, is already available in a number of versions, some of which come loaded with a DDoS component, employ double-zipped Windows Script Files, or enlist a cloud productivity platform. As the developers rake in a 40 percent commission from their so-called affiliates, there's incentive to keep evolving the malware, the report stated. It is said the developers earned US$200,000 (£160,000) in July this year alone.
At that point, encryption commences on fixed and removable drives, as well as shared network folders and even RAM disks, looking particularly to target files involved in accounting, payroll and health care database software.
This focus leads the authors to posit that the tactic signals a shift toward enterprise operations where disruption of the business would prove costly in terms of downtime.
One mitigation strategy they proffer is to regularly back up important corporate assets. As a number of the ransomware variants also use privileged/administrator accounts to engage their routines – such as terminating processes – the authors also advise the use of a privilege management policy to assist in limiting the malware's entry points for infection. As well, they suggest a multilayered approach to security – "from the gateway, endpoints, networks and servers."