Cerber Ransomware Hits Microsoft Office 365 Users

Millions of Microsoft Office 365 users were found to have been exposed to a Cerber (detected by Trend Micro as RANSOM_CERBER.CAD) ransomware attack. Based on reports, the attack seems to be a variation of one that was originally detected on network mail services in early March 2016. However, this time around, Cerber is more widely distributed as it was able to bypass the built-in security tools through a private Office 365 mail account.

According to Trend Micro’s analysis, this ransomware variant determines the location country of the computer it infects and avoids infecting computers found in certain countries. It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops before deleting the original copy. 

Cerber first emerged in March 2016 and it also came with an audio clip file that contained a ransom message. Cerber primarily uses English, but offers users other language options once users click on the link via Tor browser. It was also found that Cerber comes with a configuration in the .json format, which is commonly used to transmit and store data. This allows the ransomware to change the ransom note, and the extensions it wishes to encrypt.

Cerber was notable for its use of a computer-generated voice instead of displaying a ransom note as an image to warn that the user’s files have been encrypted. In May 2016, Cerber made its way back, using email as another way to distribute malware. Based on findings, Cerber infects a system as a file dropped as another malware or as a file downloaded and executed unsuspectingly by users visiting malicious sites. Upon infection, the victim’s files are encrypted and rendered inaccessible. They are instructed to pay 1.24 bitcoin.

The constant arrival of ransomware shows that it works, and is increasingly targeting businesses as well as individuals. Knowing how these threats operate can aid users and enterprises in securing crucial data. Backing up data can help reduce the potential damage caused by a ransomware attack, as paying the ransom only encourages more attacks.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware such as Cerber.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.