Of all the new ransomware strains that burst onto the scene in 2016, Cerber stands out in several notable ways...
Not only has it introduced several innovations on the technical side (adding the ability to work offline, to kill and encrypt databases, etc.), it has also become one of the most prominent early drivers of ransomware-as-a-service (RaaS).
Instead of distributing Cerber solely themselves, the developers behind the ransomware have made it available to any would-be criminal willing to part with a portion of the profits.
Thanks in part to this “affiliate program” Cerber has gained widespread distribution, becoming one of the most prolific ransomware families. Let's look at some of the stats behind its rise.
Cerber Ransomware Statistics
150,000 Windows users were infected in July 2016 alone
During the month of July researchers at Check Point tracked a total of 161 active Cerber ransomware campaigns delivered via exploit kits which successfully infected roughly 150,000 users worldwide.
Source: Check Point
Cerber is estimated to generate $2.3 million a year
Check Point researchers also estimated Cerber netted attackers roughly $195,000 in July of 2016, putting it on track to be a $2.3 million-dollar annual source of income for criminals to pocket or fund more attacks.
For a 40% cut of the profits, anyone can deploy Cerber
Cerber’s ransomware-as-a-service model allows “affiliates” to distribute the Cerber ransomware software in exchange for 40% of each ransom amount paid.
Source: Check Point
Cerber accounted for 1/4 of ransomware activity in late December 2016 and early January 2017
That placed it ahead of Locky (the most active ransomware of 2016) and all other ransomware strains in terms of infections. It should be noted, however, that timeframe also corresponds with the temporary disappearance of the Necurs botnet — one of the primary drivers of Locky distribution).
New updates for Cerber have been released every 8.4 days on average
According to this report on ransomware events from David Balaban at Privacy PC Cerber developers have been able to ship updates to the ransomware that adds new features and help it evade detection nearly once every week.
Cerber Ransomware FAQ
How do you get infected with Cerber ransomware?
As with most ransomware, the most common attack vectors are phishing emails and exploit kits. It's been popular for attackers to leverage infected Microsoft Office docs that utilize macros, but the truth is new delivery methods are being developed all the time.
For an in-depth breakdown of how ransomware is typically delivered, see our Complete Guide to Ransomware.
How does Cerber encrypt files and spread?
Cerber utilizes RC4 and RSA algorithms for file encryption.
Earlier version of Cerber renamed encrypted files with a .cerber extension. Newer versions now add a random file extension.
Cerber also sports several novel features:
- It talks! Some versions contain VBScript that makes infected computers actually speak to victims (you can hear what the alert sounds like here).
- It works offline: Cerber has the capability of operating without an active internet connection or need to connect to a command and control server (C&C). That means disconnecting an infected machine won’t stop encryption.
- It can encrypt database files: A new version of Cerber first discovered in October 2016 includes the ability to kill certain database processes in order to successfully encrypt data files. Researchers believe this change may indicate a shift to targeting businesses, specifically.
Is it possible to decrypt files encrypted by Cerber?
Unfortunately, while decryption tools were temporarily available for previous versions of Cerber, none currently exist for the most recent versions. Recovery options are limited to restoring from backup.
Preventing Cerber Infections
Because no decryption tool exists — and because putting the fate of your files (and possibly your job) solely in the hands of backup isn’t exactly the most thrilling prospect — the best way to protect your organization from Cerber ransomware is to:
- Prevent it from landing on machines in the first place (train your employees how to spot phishing emails and not to open email attachments if something feels off)
- Stop it at runtime like Barkly does in the video below:
Barkly’s runtime malware defense (RMD) serves as a last line of protection that blocks Cerber and other ransomware attacks even if a user accidentally initiates them.