Microsoft Malware Protection Center has warned that the Cerber ransomware family is back, and stronger than ever.
The malware targets businesses, arriving via password-protected zip file to evade email malware scanners, with the password suspiciously in the same email. When executed the app encrypts hard drives and in the latest version even seek out Microsoft Access, MySQL and Oracle database files, stop the databases if needed and then encrypt the tables.
Microsoft notes that the volume of these spam email has increased tremendously recently, with bad actors trying to take advantage of the holiday lull in vigilance.
The malware is constantly evolving and now also targets 50 additional file types while for the first time excluding .cmd, .exe. and .msi,, likely in an effort to keep PCs running. It also prioritizes folders containing office files, likely to try to do as much damage as possible before its stopped, and now hides its version number, making it tougher to track.
Two sets of additional IP address ranges have been added to the command-and-control server setup used by the malware to communicate with attackers and a Tor proxy site has replaced the three proxy sites that formerly provided a payment site.
Besides the email push the attackers also use an exploit kit on compromised websites which targets flaws on older versions of Adobe Flash to get onto the PCs of users. This vector is particularly common in Asia and Europe Microsoft says.
“For cyber-criminals, releasing a new version of malware not only increases [the] likelihood of evading antivirus detection; it’s also a way of increasing the complexity of malware,” the Microsoft security researchers noted. “Cerber’s long list of updated behavior indicates that the cyber-criminals are highly motivated to continue improving the malware and the campaigns that deliver it.”
To prevent damage by Ransomware Microsoft recommends:
- Update to the Windows 10 Anniversary Update and accept the default security settings within Windows 10.
- Keep machines up to date with the very latest updates.
- Ensure that a comprehensive backup strategy is implemented and followed.
- The Block at First Sight cloud protection feature in Windows Defender is enabled by default. For IT Pros, if it was turned off Microsoft recommend turning it back on, and also recommend incorporating another layer of defense through Windows Defender ATP and Office 365 ATP.
Read more about Microsoft’s Ransomware Protection measures at Microsoft here.