Cerber Ransomware Now Hunts for Databases

ID 659158
Updated 10/25/2016
Version Latest



Cerber is one of the more popular ransomware packages and has upgraded itself to also target databases.  It is available for purchase as a service (ransomware as a service) on the darknet as part of an affiliate program.  The Cerber malware is part of a turn-key service which clients share 40% of their profits with the developers.  In turn, the Cerber team does all the work on the back-end to make it simple for their affiliates to distribute the malware and receive payments from victims, minus the overhead costs.

This update is significant.  It expands the capabilities to not only target consumers, but now businesses as well.  This shift is the latest trend with the top ransomware families.  Attackers have realized that consumers may pay $300-$500 for their files, businesses will may much more.  So as with most criminals, they pursue the money.

Three changes have been detected with the latest update. 

First, Cerber now changes the name extension of encrypted files to a random 4 characters.  Previously it changed the extension of altered files to “.Cerber3”.  This adaptation now makes it more difficult to scan for affected files.

Secondly, a new HTA file is used to display the ransom note and instructions in a window.  It is cleaner, provides links, and is more professional looking overall.  This gives a confidence to victims that they are dealing with professionals and should think they will receive the means to unlock their files if they pay.

Finally, and most importantly, the malware now attempts to stop database processes running on the target system so it can encrypt the data.  This is a significant shift from consumer to going after businesses who typically run databases containing important operational data.  When database files are open and being used by software, they cannot easily be encrypted.  Cerber is attempting to close the software so the files are then accessible to be encrypted for ransom.

Big business in most of the world

Security experts believe Cerber is based out of Russia because it goes out of its way to avoid systems configured with the Russian language.  The malware is written that if it finds one of those systems, it will not run, and they are safe.  But it has the rest of the world to target, and it does well.  Estimates vary, but range from $1 million to $2.5 million profit per year.  In August, Check Point Software and IntSights tracked 161 campaigns active with eight new being launched every day.  In July they tracked 150,000 new system infections, with an average extortion demand of one Bitcoin.


Watch Cerber infect as system


Cerber developers are pushing to the next evolution of ransomware by going after database files. Admins, watch your database processes for unexpected stops. It might be an indication of Cerber ransomware trying to undermine file integrity. But that would be the wrong time to consider instituting good backups and applying good security practices.

The best strategic cybersecurity capability process includes elements to Predict, Prevent, Detect, and Respond to risks. This holds true for protection against ransomware.  A solid data backup/restoration capability is important, as is quality anti-malware to block attacks.  Behavioral controls to educate users will reduce the single biggest infection vector; people opening infected phishing emails.  Rapid detection and sensors must be present to quickly raise the alarm for variants which were not avoided or stopped.  Recovery teams with clear processes, tools, and backups must then be activated to get things back to normal.  Ransomware is not easy to defeat, but the first step it to have a comprehensive plan and resources.  Cerber and others will continue to evolve.  Therefore, your security must be just as agile.


Additional Reference Resources:


Image Credit and a good write-up:http://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/

Video Credit: http://www.securityspyware.com/cerber-ransomware-virus-removal-decrypt-random-extension/


Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.