A new iteration of Cerber ransomware is causing headaches for enterprise workers.
A new iteration of Cerber ransomware is causing headaches for enterprise workers.

The widespread and ever-evolving Cerber ransomware has upped its game and is now targeting enterprises with a new capability to encrypt database files, according to a new report from Trend Micro.

Holding hostage essential database files is believed to be an attempt to maximize earnings for the miscreants behind this latest iteration, said Mary Yanbao and Francis Antazo, threat response engineers at Trend Micro and co-authors of the report.

Cerber ransomware, a service offered on Russian underground web markets to entry-level cyberthieves, is already available in a number of versions, some of which come loaded with a DDoS component,  employ double-zipped Windows Script Files, or enlist a cloud productivity platform. As the developers rake in a 40 percent commission from their so-called affiliates, there's incentive to keep evolving the malware, the report stated. It is said the developers earned $200,000 in July this year alone.

In a deep dive into how Cerber spreads, the authors took a look at a spam email campaign that arrives seemingly from an online payment provider and dupes recipients with a notice that their credit line is maxed out. Other campaigns sent a phony invoice with Word documents loaded with a macro. In either case, clicking the infected link delivers the ransomware along with a .zip file containing malicious JavaScript.

At that point, encryption commences on fixed and removable drives, as well as shared network folders and even RAM disks, looking particularly to target files involved in accounting, payroll and health care database software. 

This focus leads the authors to posit that the tactic signals a shift toward enterprise operations where disruption of the business would prove costly in terms of downtime.

One mitigation strategy they proffer is to regularly back up important corporate assets. As a number of the ransomware variants also use privileged/administrator accounts to engage their routines – such as terminating processes – the authors also advise the use of a privilege management policy to assist in limiting the malware's entry points for infection. As well, they suggest a multilayered approach to security – "from the gatewayendpointsnetworks and servers."