Rise of Cerber Ransomware


The malicious activities of Cerber Ransomware started in February 2016, and have continuously evolved since then. Now it has become one of the most encountered ransomware families pushing others including Locky behind. According to the latest statistics, Cerber has the highest share rate of 25.97%. The evolution of this malware mostly happened through distribution process with a focus on exploit kits, compromised websites, and email distribution. It is especially prevalent in the US, Asia, and Western Europe.

Cerber Attack

Cerber generally enters the system/ PC through spam email downloaders or malicious web sites. Both macros and OLE objects are used to deliver Cerber. Malware authors can malevolently use OLE or macros to deliver malware to the victims. It has been seen that malicious files take the help of Visual Basic Script (VBS) and JavaScript to download Cerber from a command server.
The other infection scenario is when any user visits a malicious website that hosts an exploit kit. It finds out the vulnerabilities of the PC and targets those vulnerabilities to inject the infection. Eventually, this allows the exploit kit to download Cerber in the PC. Neutrino, Angler and Magnitude exploit kits are known for distributing Cerber.
Like other ransomware, Cerber also encrypts files and gives recovery instructions to the victim. Cerber instructs both in .html and .txt formats and replaces the desktop wallpaper too. In addition, Cerber includes a synthesized audio message. What is more important is that the ransom message gives indications to the victims about Cerber trying to show Internet as a safer place and they do not mention about the ransom to decrypt the files. After investigation, it has been seen that the ransom appears in the form of bitcoins.


eScan, now debuts a Proactive Behavioral Analysis Engine (PBAE) that monitors the activity of all the processes on the Local Machine and whenever PBAE encounters an activity or behavior, which is reminiscent of a Ransomware, a red flag is raised and the process is rendered inactive from conducting any further damage. However, Ransomware is also known to encrypt files residing on the network share, in such cases, when an infected non-protected system is accessing the Network Share of a protected system and tries to modify the files residing over there, PBAE, will immediately invalidate the network session. Besides, the below precautionary measures are also important:
• Update your antivirus software regularly and protect your system from Malware attacks.
• Always download apps from their official website or Google Play Store instead of unknown sources because of unreliability.
• Download applications of a reliable app developer. In addition, check the user ratings and reviews of the app before download.
• Ensure that all the software installed in your system are updated frequently, including Oracle, Java and Adobe.
• Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce it.
• Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
• Open emails only if you are positive about the source.
• Regularly create backup of your important files.

This entry was posted in eScan 11, eScan 14, MailScan, Security and tagged , , , , , , , . Bookmark the permalink.