Cerber wins ransomware wars

Cerber ransomware has beaten out Locky for the top spot in the ransomware market. A new report from Malwarebytes details its findings from the first quarter of 2017.

Cerber has dramatically claimed victory over its competitors, taking up nearly 30 percent of ransomware detections. In second place came Locky, with just over five percent of local detections.

Other families didn't even come close, with Cerber taking a massive slice of the market share and rival families only receiving crumbs.

Named for the mythological dog guarding the gates of Hell, Cerber offers military grade encryption and a service model which allows it to be used by even unsophisticated attackers.

In previous reports, Malwarebytes called it “pretty powerful ransomware written with attention to detail.” The company touted its “rich customisation options and various tricks to make analysis harder.”

Cerber's success largely comes at the cost of Locky's, a piece that largely defined ransomware in 2016 but by the end of March, noted Malwarebytes, had “all but vanished”.

Since its inauspicious birth in February 2016, Locky has been a very popular brand of ransomware among cyber-criminals and was regularly updated with new techniques.

Like most malware, it has been traditionally delivered via an email and activated when its unlucky victims opt to enable the macros on an attached document. Once that trap is sprung, Locky sets about encrypting the files on the targeted computer.

Locky has been seen in a variety of high profile attacks including the 2016 breach on the Hollywood Presbyterian Medical Centre, in which the hospital had to pay US $17,000 (£13,600) to retrieve its data.

So why the decline? Locky took a dramatic tumble in November 2016 and has yet to recover, signalling what some believe to be its long term slide into obscurity. A nearly 70 percent ransomware market share at the end of 2016, turned into less than two percent by March 2017.

Observers, including the report's authors, point to two principle reasons. First is Locky's abandonment by the massive Necurs botnet, which had once been the prime driver of the Dridex Banking Trojan. In the middle of 2016, Necurs' use of Locky dropped off and since then the botnet's interest seems to have diversified into more sophisticated scams such as financial fraud spam.  

The second reason is that Locky, unlike Cerber, has not released any new versions in 2017, leading the authors to believe that its authors have either lost interest in the ransomware or been arrested.

While “we should all be thankful that one of the most dangerous families of ransomware seems to have vanished for the time being, we do still need to worry about an overpowered and heavily distributed Cerber,” said the report.

The report predicts that Cerber is not going anywhere anytime soon. Various factors are expected to contribute to the ransomware brand's future resilience.

Its continuing use of the Ransomware as a Service (RaaS) model allows Cerber to be deployed ‘on demand' and by those who are essentially unskilled in technology.

Aside from its impressive array of military grade and offline encryption, Cerber is aggressively updated.  Cerber has most recently updated itself to evade machine learning antivirus solutions and the sandboxing that security researchers so often employ to analyse malware.

The authors note that “since the creators of Cerber continue to develop and sell the ransomware to affiliates, it would likely take interaction from law enforcement to halt operations and shut the ransomware down.” Without some monumental blunder on the parts of its authors, Malwarebytes reminds us to expect a continued growth into quarter two.

Malwarebytes also touts another ransomware family - Spora - to do well in the near future. It's not going to be overtaking Cerber, but looks likely to be a real moneymaker for its authors due to its secure encryption and superior customer service.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.