Analysis published in Malwarebyte's new Cybercrime Tactics and Techniques Q1 2017 report shows just how dominant Cerber has become. It has eclipsed every other ransomware family combined many times over, accounting for 90 percent of Windows ransomware (ransomware accounts for 60 percent of all malware attacks on Windows).
That leaves Locky with just two percent of the market share; it's even fallen behind new ransomware variants such as Sage and Spora, which accounted for four percent and two percent of attacks in March respectively.
So why has Cerber become so dominant? Like those developing legitimate software, increasingly professionalised cybercriminal developers need to innovate in order to stay ahead of the pack. One aspect which has enabled Cerber to thrive is how it was one of the first major ransomware families to offer itself out to prospective cybercriminals as part of a 'ransomware-as-a-service' deal. The developers lease out the ability to use Cerber to others -- in return for a cut of the ill-gotten gains.
By spreading Cerber through this affiliate scheme, it's "very easy for non-technical criminals to get their hands on a customized version of the ransomware", security researchers at Malwarebytes said.
This Cerber variant is, like most ransomware, delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.
That's ultimately making Cerber harder to detect before infection, and so more popular amongst cybercriminals looking for the best chance of extorting payments. There's also a problem for IT security professionals in that there's almost no indication of who is behind Cerber, making it difficult to try to stop.
"It would likely take interaction from law enforcement to halt operations and shut the ransomware down. However, saving a huge mistake from one of the group members that gives some hint as to their identities, it's unlikely this malware will vanish before the end of Q2," the report warns.
But as much as the newfound success of Cerber can be attributed to the sophisticated nature of the ransomware itself, the fact that the previously dominant Locky suddenly went into decline has to be accounted for -- it left a hole to be filled; after all, it accounted for 70 percent of all ransomware once and has now dropped to two percent.
One of the key reasons, it seems, is that the botnet tasked with distributing Locky ransomware via spam emails has moved onto other priorities.
Security researchers at Malwarebytes also offer up another simple reason why Locky has suddenly become just another ransomware also-ran: those behind Locky stopped developing new versions -- although that just means that it's cybercriminal operators have moved onto other schemes, like the email scams.
But it doesn't mean organisations have any cause to breathe a sigh of relief. Those that used Locky to target their networks are more than likely now just attempting to do so with Cerber -- which for now at least, seems more difficult to stop than Locky was, and will remain the big dog of ransomware for the foreseeable future, especially if it continues to evolve in new ways.
"We've already observed evolution in its distribution mechanisms and it's likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities," Adam Kujawa, lead malware intelligence analyst at Malwarebytes, said.
"However it's hard to predict the exact modifications Cerber will make, the only definite is that it's not going away," he adds.
VIDEO: Cerber ransomware becomes dominant menace on the web