Attention people, there is a new player in the ransomware market.
It’s called Cerber ransomware.
From what we have gathered, it is a relatively young ransomware.
But hackers don’t care.
It works so well that Cerber ransomware has become the weapon of choice when it comes to hackers looking to hack organizations and extorting money from their victims.
The Cerber ransomware allows hackers to encrypt a huge amount of data on computer machines.
Then the hackers can demand their ransom from the victim.
After the victim has paid, hackers oblige the victim with a decryption tool.
Cerber ransomware is young.
But it has matured rather quickly.
In other words, now hackers are running it like a franchise of some sorts.
Cerber ransomware is not sitting on its laurels though.
It is evolving.
Now, Cerber ransomware can target large databases as well.
Hackers can use Cerber ransomware to go after big businesses as well.
Extorting big organizations has never been easier for hackers around the world.
Why Do Hackers Want to Hack Big Companies?
The answer is simple.
Big companies are usually easier targets and they can pay a lot of money than petty individual consumers.
This fact is quite obvious.
That’s why security companies such as McAfee have constantly warned that hackers would now try to target big businesses with Cerber ransomware.
Moreover, security firms have also said that hackers will also go after individual users they seem as valuable targets.
With Cerber ransomware in store, hackers will encrypt their victim’s databases.
And they will not decrypt it unless and until the victim pays up.
During the month of July alone, hackers used the Cerber ransomware to launch over 160 campaigns.
Overall, these campaigns targeted over 150,000 online users.
How Much Do These Hackers Earn?
Hackers generated around $195,000 from Cerber Ransomware attacks in July alone.
Of that sum of $195,000, developers behind ransomwares such as Cerber ransomware earned around $78,000.
Moreover, security researchers have estimated that hackers and creators who use malware to develop and launch ransomware attacks along with those who employ such ransomware attacks can potentially earn anywhere between $1 million to $2.5 million per year.
An infosec firm by the name of Trustwave said back in 2015 that a good ransomware creators had the ability to earn around $84000 every month and they don’t even have to carry out ransomware attacks.
All they have to do is sell those malware software applications to people on the dark web.
Matthew Rosenquist, who is a security strategist, recently said that cyber criminals will now increasingly target businesses rather than individuals.
Because that will earn them more money from each ransomware attack.
Rosenquist also offered his deep insight on the issue and said that hackers had basically shifted their strategies to something else when it came to how they deployed Cerber ransomware.
He said that Cerber ransomware now attempted to block databases processes that ran on the target computer system.
This way, Cerber ransomware can encrypt the entire data.
According to Rosenquist, this is a major shift in focus.
Hackers are indeed targeting more businesses than consumers.
Businesses Pay More. We Get It. But There Are More Reasons as Well.
Unlike consumers, businesses usually run by relying on databases.
These databases contain important, and sometimes critical, operational data.
Hackers want to access these databases and encrypt them.
But here is the problem:
Hackers can’t encrypt these databases when the files in these databases are open and/or in use.
Of course, hackers know this.
This isn’t exactly the first time hackers have used ransomware to target businesses.
In fact, we can name several cyber attacks where hackers successfully encrypted databases and documents belonging to large organizations.
After encryption, as usual, hackers demanded handsome amounts of ransom as well.
Of course, these previous cyber attacks did not happen on a large scale.
Moreover, in these past cyber attacks, hackers looked like they had more affinity for targeting a rather limited number of businesses and/or organizations.
Cerber ransomware is different.
According to Rosenquist, businesses should always stay alert.
He also recommends that they should keep a strict eye on their databases.
Especially the ones that stop deliberately.
Because the clearest indication that Cerber ransomware has encrypted a database is when a database abruptly stops working.
Cerber ransomware is currently invincible.
In other words, if a Cerber ransomware encrypts your data base, there is no known way to decrypt it.
And hence, Rosenquist believes, individuals along with businesses must take extra precautions.
If they want to avoid a Cerber ransomware malware infection, they have to work harder in improving their database security.
Some security researchers at McAfee say that Cerber ransomware has evolved quite a lot since its first version.
They think that the latest version of this Cerber ransomware has different from past Cerber ransomware in three main areas.
They are as follows,
Cerber ransomware can now alter the extensions of all encrypted files.
It alters them to four random characters.
Previously though, it only modified them to a more manageable .cerber3.
Why have the hackers done that?
Of course, they want to make it much more difficult for modern anti-malware scanners to actually search and detect infected and affected files.
Cerber Ransomware now has a much more business-friendly, cleaner, and intuitive digital ransom note.
Now the digital ransom note comes in the form of an easy-to-understand executable file.
In other words, it looks professional and has a clean interface.
Hackers now give detailed instructions to victims on how they can pay them in order to get their files decrypted.
Security vendors, of course, will always tell you that you should never pay hackers.
Because you don’t have any guarantees that they will decrypt your encrypted files in return for your payment.
Hackers aren’t exactly honorable people.
So their promises are just that, promises.
Of course, hackers would like to think otherwise.
They see these digital ransom notes as an attempt to inspire some confidence in the victim.
Hackers hope that victims can trust them and hence pay up.
The only way to ensure that is to make sure victims know that hackers won’t simply run away with their money once they pay up.
Believe it or not, hackers want to decrypt a victim’s encrypted files.
Because they want to get paid,
And if they keep breaking their promises, there will come a time when no one would pay them.
And this will break the entire business model.
Hence, hackers try their best to make victims pay them and then try their best again to decrypt encrypted files.
As mentioned before, hackers find it very hard to encrypted databases whose files are opened and/or in use.
Software applications sometimes access these files and hackers can’t encrypt them while they are in use.
So does that mean that hackers can’t hack anyone now?
Of course not.
Hackers have now come up with newer malware that can stop database processes.
Once a malware has stopped databases processes which are running on the target’s computer systems, hackers can then move in with their ransomware and encrypt all database files.
This point is the most pertinent one.
Because businesses usually run all sorts of databases.
And more often than not, these databases contain useful and important data.
McAfee has a specific warning for people who work as IT administrators.
The company says that they should watch their database processes for any unexpected stops.
According to McAfee, this is a big indication that Cerber ransomware is trying to undermine the database’s file integrity.
Of course, by that time it is too late.
No amount of good backups or security practises will do anything once the Cerber ransomware has started its work.
Hence businesses need professionals who are proactive and not reactive.
A security vendor s by the name of CheckPoint recently, in August actually, found that Cerber ransomware ran about 161 active campaigns.
Moreover, it also launched eight new campaigns on each day during that period.
As a result of those campaigns, Cerber ransomware managed to successfully infect well over 150,000 online users around the world.
Let’s Detail Cerber Ransomware
As mentioned before, when security researchers examined Cerber ransomware activities back in July they found the following,
- It had conducted and launched more than 160 online campaigns
- Cerber ransomware targeted more than 150,000 online users
- It raked in a whopping $195,000 is US currency as profiles in a single July month.
- The developers behind Cerber ransomware earned around $78,000 in that month alone
We have already mentioned the fact that malware can earn its authors along with affiliates around $1 million per year.
Sometimes, that amount can go up to $2.5 million as well.
These figures as massive.
Especially when you consider the fact that ransomware profits in 2015 had not risen to such levels.
Back then, authors of different malware products could earn around $84,000 per month.
But the cost of making those ransomware software appliations cost these authors around $6000 a month.
How much profit is that?
Our calculations say that these malware and ransomware authors earned around 1425 percent of the total amount as profit.
Matthew Rosenquist, still a security strategist, believes hackers chasing businesses is not something that he didn’t expect.
According to him, it is just part of an evolution process of ransomware.
Rosenquist recently told the media that Cerber ransomware now could stop databases processes that ran on the victim’s computer system.
After that, it could encrypt the entire data present on the database.
As mentioned before many times, Cerber ransomware is not the first and definitely not the last ransomware to target businesses.
The Register, has actually received information on many private ransomware variants.
Hackers send these ransomware variants to a selected number of high-specific organizations.
Organizations who try to encrypt their valuable documents and databases are the most attractive ones to hackers.
Hackers, after encrypting these databases, demand exorbitant amounts of ransom which can sometimes reach thousands of dollars.
Only after the victim has paid the said amount, do hackers release the decryption keys and supply them to the victims.
Advice For Administrators
Rosenquist has warned all IT administrators and said that all administrators must show alertness for their databases.
To do that, they must monitor their databases at all times and look for any abrupt stoppages.
As mentioned before, an abrupt stop indicates that Cerber ransomware is beginning to start the encryption process.
We also know that currently there is no way to decrypt files that Cerber ransomware encrypts.
Hackers have already updated Cerber ransomware and now even decoding tools such as those of CheckPoint can’t decrypt it.
Of course, security engineers around the globe are continually working hard in order to find side-channel vulnerabilities along with a shrinking pool of implementation techniques.
Security experts think this will help them to decrypt Cerber ransomware encrypted files.
All of this shows that Cerber ransomware is indeed a high-quality encrypting ransomware.
Is Anyone Doing Anything About Cerber Ransomware?
NoMoreRansom alliance has formalized the problem.
The alliance has previously unified all siloed and scattered associations.
This has helped the alliance to decrypt even the most powerful of ransomware products.
Malware researchers are also carrying out a furious effort which has led them to score rather well against many variants of different ransomware.
The only types of ransomware that malware researchers have had no luck with are,
- Cerber ransomware
Apart from these three, the alliance has broken all other ransomware operations.
So What should a Cerber ransomware victim do?
Well, first let us assume that the victim has found a way to decrypt the Cerber ransomware encrypted files.
In that case, the user can try out Trend Micro’s decryption tool which Trend Micro updates on a regular basis.
For now, that is the only way to decrypt infected files.