Cerber ransomware: Now with database encryption

News by Greg Masters

The widespread and ever-evolving Cerber ransomware has upped its game as it targets enterprises with a new capability to encrypt database files.

The widespread and ever-evolving Cerber ransomware has upped its game and is now targeting enterprises with a new capability to encrypt database files, according to a new report from Trend Micro.

Holding hostage essential database files is believed to be an attempt to maximise earnings for the miscreants behind this latest iteration, said Mary Yanbao and Francis Antazo, threat response engineers at Trend Micro and co-authors of the report.

Cerber ransomware, a service offered on Russian underground web markets to entry-level cyber thieves, is already available in a number of versions, some of which come loaded with a DDoS component,  employ double-zipped Windows Script Files, or enlist a cloud productivity platform. As the developers rake in a 40 percent commission from their so-called affiliates, there's incentive to keep evolving the malware, the report stated. It is said the developers earned US$200,000 (£160,000) in July this year alone.

In a deep dive into how Cerber spreads, the authors took a look at a spam email campaign that arrives seemingly from an online payment provider and dupes recipients with a notice that their credit line is maxed out. Other campaigns sent a phony invoice with Word documents loaded with a macro. In either case, clicking the infected link delivers the ransomware along with a .zip file containing malicious JavaScript.

At that point, encryption commences on fixed and removable drives, as well as shared network folders and even RAM disks, looking particularly to target files involved in accounting, payroll and health care database software. 

This focus leads the authors to posit that the tactic signals a shift toward enterprise operations where disruption of the business would prove costly in terms of downtime.

One mitigation strategy they proffer is to regularly back up important corporate assets. As a number of the ransomware variants also use privileged/administrator accounts to engage their routines – such as terminating processes – the authors also advise the use of a privilege management policy to assist in limiting the malware's entry points for infection. As well, they suggest a multilayered approach to security – "from the gatewayendpointsnetworks and servers."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews