Millions of Microsoft Office 365 users were found to have been exposed to a Cerber (detected by Trend Micro as RANSOM_CERBER.CAD) ransomware attack. Based on reports, the attack seems to be a variation of one that was originally detected on network mail services in early March 2016. However, this time around, Cerber is more widely distributed as it was able to bypass the built-in security tools through a private Office 365 mail account.
According to Trend Micro’s analysis, this ransomware variant determines the location country of the computer it infects and avoids infecting computers found in certain countries. It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops before deleting the original copy.
Cerber first emerged in March 2016 and it also came with an audio clip file that contained a ransom message. Cerber primarily uses English, but offers users other language options once users click on the link via Tor browser. It was also found that Cerber comes with a configuration in the .json format, which is commonly used to transmit and store data. This allows the ransomware to change the ransom note, and the extensions it wishes to encrypt.
Cerber was notable for its use of a computer-generated voice instead of displaying a ransom note as an image to warn that the user’s files have been encrypted. In May 2016, Cerber made its way back, using email as another way to distribute malware. Based on findings, Cerber infects a system as a file dropped as another malware or as a file downloaded and executed unsuspectingly by users visiting malicious sites. Upon infection, the victim’s files are encrypted and rendered inaccessible. They are instructed to pay 1.24 bitcoin.
The constant arrival of ransomware shows that it works, and is increasingly targeting businesses as well as individuals. Knowing how these threats operate can aid users and enterprises in securing crucial data. Backing up data can help reduce the potential damage caused by a ransomware attack, as paying the ransom only encourages more attacks.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware such as Cerber.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.