End of the road for Locky: Cerber is the new king of Ransomware
A new version of notorious Cerber Ransomware family – Cerber3 has been discovered. It tops Ransomware market, leaving others in its dust. At this moment, it is the most dangerous threat due to new advancements in malware’s functionality. Hence it is highly unlikely we see a decrease in the spread of Cerber3 in coming months.
It is combined with the adoption of a Ransomware-as-a-Service business model, robust and offline encryption etc.
It is expected that Cerber3 is going to make a bigger splash as it makes Locky obsolete. Cerber3 is a focused ransomware which differs from previous versions. Being different it is still delivered by a malicious phishing e mail. The e mail contains a link to Dropbox that downloads and self-extracts the malware payload.
See Also: Top 5 Tips to Fight Against Ransomware Havoc
Cerber3 appends “cerber3” extension at the end of encrypted files and its ransom note is name “# HELP DECRYPT #.txt. Cerber3 does not let the lock data exit from the PC, until the ransom is paid.
Users are advised to be on the alert, as it is difficult for an anti-virus to flag a new threat. They must double check the e mail attachments before opening. If any e mails looks shady do not open it. There is no Decryptor for Cerber3
What is Ransomware-as-a-Service?
It is a ransomware platform setup by talented coders, cyber criminals to help criminal minds without technical expertise to spread malware on their own. They rent out these platforms and earn commission on every successful ransom paid. Allowing bad guys to scour Dark Web marketplaces and exploit helpless victims.
Creating these forms of malware platforms needs extensive knowledge that an average person does not possess. Thus allowing individuals with malicious intents to gain access to ransomware regardless of their programming skills.
See Also: Top 5 Ransomware Protection Tools
What Cerber does to the system?
The first thing it does after installation is to configure the system so that it goes through several reboots, helping malicious code to take over the system. To this end, the ransomware displays a number of rouge notifications which leads to system reboot it forced closed.
The next phase is data encryption, where runs a HDD and network scan. During the scan, it disregards objects in several directories, including Program Files, Program Data, Windows, Drivers, and AppData\Local. It then encodes everything else that is found during scan using Advanced Encryption Standard thus showing Ransom note.
Protection against Ransomware
The best protection against ransomware is to be cautious and not getting infected in the first place. In most cases, malware enters into the system by opening a malicious email or clicking on a link that re-directs to an infectious website which installs the malware on their system.
See Also: Ransomware of Things: The new Facade in Cyber Space!
The best protection, is not opening suspicious emails, not clicking on links sent by unknown parties and keeping updated, security programs that scans malware and ransomware.
To avoid Cerber3 ransomware and other file-encrypting infections in the future, follow simple recommendations provided below:
- Change the default protection to a more secure setting, it is an important countermeasure. Pin your email provider’s anti-spam settings to filter out all the potentially harmful incoming messages.
- Restrict specific file extensions in your email. Attachments with the following extensions should be added to the blacklist: .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat. Also, before downloading/ unzipping any, ZIP archives in received messages be vigilant.
- Rename the vssadmin.exe process so to avoid encryption of all Shadow Volume Copies files in one shot.
- Keep your Firewall active and updated all times. It can prevent crypto ransomware from communicating with its C&C server.
- Back up your files regularly, but make sure that backup system is not always connected to the device. As the malware can infect it too.
- Use an anti-malware with updated database definitions so it’s easy to identify ransomware-specific behavior and block the infection.
These techniques will add an extra layer of ransomware protection to your security setup.