Cerber dominates ransomware attacks against businesses
Windows 10 Enterprise customers are able to use threat detection features to locate 'patient zero' machines
The Cerber family contributed to the largest number of ransomware attacks against enterprise systems in 2016, according to Microsoft research.
Of the myriad of ransomware attacks over the course of the year, Cerber accounted for 26% of these, some 2,114 infections on systems using Windows 10 Enterprise operating systems.
Cerber was found to be particularly active in November last year when attackers using the ransomeware strain ran a campaign against businesses taking advantage of the holiday season.
Microsoft has said that thanks to its robust threat protection, Windows 10 Enterprise is able to recognise Cerber attacks before payloads could be delivered, breaking the chain of self-replicating attacks that would normally compromise an entire system.
Through Windows Defender Advanced Threat Protection (Windows Defender ATP), a bundled service which is otherwise a paid extra, enterprise customers are able to locate 'patient zero' machines and stop a ransomware epidemic before it takes hold.
Cerber typically operates by tricking a user into downloading a document to their downloads folder from an email. Once the document is opened, an embedded macro is triggered which launches a PowerShell command, which then connects to a TOR anonymisation website to download a ransomware payload.
In an example test of a customer running the initial macro, Windows Defender ATP was able to identify the PowerShell command and track the source IP address from the TOR site and block it in a firewall.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"Windows Defender ATP generated at least four alerts during the infection process, providing a breadth of detections that helps ensure coverage for changing techniques between Cerber versions, samples, and infections instances," said Tommy Blizard, a researcher on the Windows Defender ATP team.
These alerts are built up using machine learning and extensive research of different ransomware instances and their related families, according to Microsoft.
With the upcoming Creators Update, Microsoft has promised to take "its capabilities one step further" by enabling the network isolation of any machines found to have issued this PowerShell command to receive payloads.
Ransomware families belonging to Genasom and Locky accounted for 14% and 11% of attacks respectively, while lesser-known variants Critroni and Troldesh made up just 6%.
In August 2016, security research firm Malwarebytes revealed that over 40% of businesses across the UK, US and Canada had been targeted by ransomware, with a 259% increase in exploit kits in the first five months of the year.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
Netgear launches next-gen platform and says it's quality vs quantity re partner engagementNews This is a significant launch, according to the company, and one that aligns with its overarching goal to simplify complexity...
-
What users can expect with Claude Sonnet 5News Claude Sonnet 5 comes with intuitive agentic capabilities, performance boosts, and cost-efficient ‘effort levels’
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes