The Cerber family of ransomware has spawned a new iteration, v6, in its continuing escalation to take the top spot from Locky, according to a post on a Trend Micro blog.
First emerging on the Russian underground marketplace in March 2016, Cerber has been issued in a number of versions with each iteration evolving its structure, techniques and functions. It is now being cited by Trend Micro as the “most prolific family of ransomware in the threat landscape.”
The file-encrypting malware is readily accessible on underground markets to would-be extortionists who can rent the ransomware as a service, reportedly earning the developers as much as $200,000 in commission in one month last year.
Enterprises as well as individuals in the United States are a primary target, said the Trend Micro researchers, with campaigns hitting various sectors, including education, manufacturing, public sector, technology, healthcare, energy and transportation.
While it has always been frisky in evading capture, Cerber v6 has adapted “multipart arrival vectors and refashioned file encryption routines,” the researchers found. As well, the malware defends itself with anti-sandbox and anti-AV strategies.
Upon analysis, the researchers detected that the JS files download and execute a payload, create a scheduled task to run Cerber after two minutes, or run an embedded PowerShell script. The delay enables the malware to evade detection by a sandbox.
The new version has also improved its check for file extensions, firewall, anti-virus and anti-spyware products loaded on the targeted device.
“Cerber’s evolution reflects the need for organizations and end-users to be aware of today’s constantly evolving threats,” the Trend Micro researchers concluded.
Keep systems up-to-date, take caution against unsolicited and suspicious emails, regularly back up important files, and cultivate a culture of cybersecurity in the workplace, they advised.