Ransomware boomed last year, with the malicious file-encrypting software rising to become arguably the biggest menace on the web.
While hundreds of ransomware variants extorted payments from victims in return for unlocking files, it was Locky which was the most dominant family. But after outright dominating the ransomware landscape last year – and playing a large role in costing victims over $1bn during 2016 – Locky has virtually fallen off the face of the earth in 2017, making way for Cerber to become the King of ransomware.
Analysis published in Malwarebyte’s newly released Cybercrime Tactics and Techniques Q1 2017 report shows just how dominant Cerber has become, eclipsing every other ransomware family combined many times over, accounting for 90 percent of Windows ransomware ( ransomware accounts for 60 percent of all malware attacks on Windows).
That leaves Locky with just two percent of the market share; it’s even fallen behind new ransomware variants such as Sage and Spora, which accounted for 4 percent and 2 percent of attacks in March respectively.
So why has Cerber become so dominant? Like those developing legitimate software, increasingly professionalised cybercriminal developers need to innovate in order to stay ahead of the pack. One aspect which has enabled Cerber to thrive is how it was one of the first major ransomware families to offer itself out to prospective cybercriminals as part of a ‘ransomware-as-a-service’ deal. The developers lease out the ability to use Cerber to others – in return for a cut of the ill-gotten agains.
By spreading Cerber through this affiliate scheme, it’s “very easy for non-technical criminals to get their hands on a customized version of the ransomware”, note cybersecurity researchers at Malwarebytes.
Another factor contributing to the rise of Cerber is that those behind it are constantly upgrading it with new features and evasion techniques. Cybersecurity researchers at Trend Micro recently detailed how Cerber has gained the ability to to evade detection by cybersecurity tools which use machine learning to identify threats.
This Cerber variant is, like most ransomware, delivered by a malicious phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload .
It’s ultimately making it harder to detect before infection, therefore making it more popular amongst cybercriminals looking for the best chance of extorting payments. There’s also a problem for cybersecurity professionals in that there’s almost no indication of who is behind Cerber, making it difficult to try to stop.
“It would likely take interaction from law enforcement to halt operations and shut the ransomware down. However, saving a huge mistake from one of the group members that gives some hint as to their identities, it’s unlikely this malware will vanish before the end of Q2,” the report warns.
But as much as the new found success of Cerber can be attributed to the sophisticated nature of the ransomware itself, the fact that the previously dominant Locky suddenly went into decline has to be accounted for – it left a hole to be filled; after all, it accounted for 70 percent of all ransomware once and has now dropped to two percent.
One of the key reasons, it seems, is that the botnet tasked with distributing Locky ransomware via spam emails has moved onto other priorities.
The Necurs network, previously used to distribute Locky, suddently surged back to life last month; but this time those behind the botnet are using their army of zombie of devices not to distribute ransomware, but fake stock tips for ‘pump and dump’ scams.
Cybersecurity researchers at Malwarebytes also offer up another, simple reason why Locky has suddenly become just another ransomware also ran; those behind Locky stopped developing new versions – although that just means that it’s cybercriminal operators have moved onto other schemes, like the email scams.
But it doesn’t mean organisations have any cause to breathe a sigh of release – because those who used Locky to target their networks are more than likely now just attempting to do so with Cerber – which for now at least, seems more difficult to stop than Locky was and remain the big dog of ransomware for the foreseeable future; especially if it continues to evolve in new ways.
“We’ve already observed evolution in its distribution mechanisms and it’s likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities,” says Adam Kujawa, lead malware intelligence analyst.
“However it’s hard to predict the exact modifications Cerber will make, the only definite is that it’s not going away,” he adds.
READ MORE ON CYBERCRIME