Ransomware: Why one version of this file-encrypting nightmare now dominates

​Move over Locky; there's a new king of ransomware...
Written by Danny Palmer, Senior Writer

Cerber has risen to become the most dominent family of ransomware.

Image: Malwarebytes

Ransomware boomed last year, with the malicious file-encrypting software rising to become arguably the biggest menace on the web.

While hundreds of ransomware variants extorted payments from victims in return for unlocking files, Locky was the most dominant family. But after outright dominating the ransomware landscape last year -- and playing a large role in costing victims over $1bn during 2016 -- Locky has virtually fallen off the face of the earth in 2017, making way for Cerber to become the king of ransomware.

Analysis published in Malwarebyte's new Cybercrime Tactics and Techniques Q1 2017 report shows just how dominant Cerber has become. It has eclipsed every other ransomware family combined many times over, accounting for 90 percent of Windows ransomware (ransomware accounts for 60 percent of all malware attacks on Windows).

That leaves Locky with just two percent of the market share; it's even fallen behind new ransomware variants such as Sage and Spora, which accounted for four percent and two percent of attacks in March respectively.


Ransomware 'market shares' in the first quarter of 2017

Image: Malwarebytes

So why has Cerber become so dominant? Like those developing legitimate software, increasingly professionalised cybercriminal developers need to innovate in order to stay ahead of the pack. One aspect which has enabled Cerber to thrive is how it was one of the first major ransomware families to offer itself out to prospective cybercriminals as part of a 'ransomware-as-a-service' deal. The developers lease out the ability to use Cerber to others -- in return for a cut of the ill-gotten gains.

By spreading Cerber through this affiliate scheme, it's "very easy for non-technical criminals to get their hands on a customized version of the ransomware", security researchers at Malwarebytes said.

Another factor contributing to the rise of Cerber is that those behind it are constantly upgrading it with new features and evasion techniques. Researchers at Trend Micro recently detailed how Cerber has gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

This Cerber variant is, like most ransomware, delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.

That's ultimately making Cerber harder to detect before infection, and so more popular amongst cybercriminals looking for the best chance of extorting payments. There's also a problem for IT security professionals in that there's almost no indication of who is behind Cerber, making it difficult to try to stop.

"It would likely take interaction from law enforcement to halt operations and shut the ransomware down. However, saving a huge mistake from one of the group members that gives some hint as to their identities, it's unlikely this malware will vanish before the end of Q2," the report warns.

But as much as the newfound success of Cerber can be attributed to the sophisticated nature of the ransomware itself, the fact that the previously dominant Locky suddenly went into decline has to be accounted for -- it left a hole to be filled; after all, it accounted for 70 percent of all ransomware once and has now dropped to two percent.

One of the key reasons, it seems, is that the botnet tasked with distributing Locky ransomware via spam emails has moved onto other priorities.

The Necurs network, previously used to distribute Locky, suddenly surged back to life last month. This time, however, those behind the botnet are using their army of zombie of devices not to distribute ransomware, but fake stock tips for 'pump and dump' scams.

Security researchers at Malwarebytes also offer up another simple reason why Locky has suddenly become just another ransomware also-ran: those behind Locky stopped developing new versions -- although that just means that it's cybercriminal operators have moved onto other schemes, like the email scams.

But it doesn't mean organisations have any cause to breathe a sigh of relief. Those that used Locky to target their networks are more than likely now just attempting to do so with Cerber -- which for now at least, seems more difficult to stop than Locky was, and will remain the big dog of ransomware for the foreseeable future, especially if it continues to evolve in new ways.

"We've already observed evolution in its distribution mechanisms and it's likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities," Adam Kujawa, lead malware intelligence analyst at Malwarebytes, said.

"However it's hard to predict the exact modifications Cerber will make, the only definite is that it's not going away," he adds.

VIDEO: Cerber ransomware becomes dominant menace on the web


Editorial standards