Microsoft detected more enterprise PCs infected by Cerber than any other ransomware family over the 2016-17 holiday season.
Researchers at the Microsoft Malware Protection Center tracked 2,114 Cerber encounters on enterprise endpoints between 16 December 2016 and 15 January 2017. That number accounted for more than a quarter (26 percent) of ransomware infections the Redmond-based tech giant observed during that period. By comparison, Genasom, the second-highest crypto-locking threat, came in at just 1,109 infections – just 14 percent of the total ransomware attacks.
Cerber, the “ransomware that speaks” which boasts a lucrative affiliate program, has certainly expanded its reach in recent months. But by no means is it unstoppable. You just have to know where to look.
Microsoft’s malware researchers elaborate on this point in a blog post:
“Not only are there similarities between members of this well-distributed ransomware family, certain Cerber behaviors are common malware behaviors. Detecting these behaviors can help stop even newly distributed threats.”
Microsoft incorporated that exact philosophy into its Windows Defender Advanced Threat Protection (ATP) service. It’s not surprising that Microsoft then pitted its solution against Cerber to see what would happen.
In one attack, a Cerber infection started when a user opened a document in the Downloads folder. This file triggered embedded macros, launching a PowerShell command that downloaded another component carrying the Cerber payload. Windows Defender ATP triggered an alert for that event.
Not only that, but Microsoft’s product also fired off separate alerts for when Cerber’s PowerShell script connected to a Tor website in order to download an executable, when the payload self-launched itself from inside the Users folder, and when Cerber attempted to delete the system’s Shadow Volume Copies.
We all know that no anti-virus solution can deliver total protection. That’s one of the reasons why some people in the industry are (wrongly) urging users to disable their anti-virus software. Microsoft’s demonstration, however, proves that security products continue to get better.
The anti-virus industry is moving in the direction of AI that uses machine learning and behavior analytics to detect malicious behavior, not malicious code. This type of solution will better protect both users and enterprises against something like ransomware, which often alters its disguise in an effort to evade detection. All we need to do is be patient and wait for these types of solutions to begin rolling out.
In the meantime, users should make sure they’ve done all they can to prevent a ransomware infection. That includes updating their existing anti-virus solution, updating their systems on a regular basis, and – yes – maintaining a backup of their data.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.