Cerber ransomware debuted in late February of this year, and has already become the third most prevalent ransomware based on a recent Fortinet statistic. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files, or Rich Text Documents. Cerber uses a strong, unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape.

The ransomware is being offered as "Ransomware as a service" on the Russian underground, meaning that various individuals can sign up to distribute it and share the profit with its authors. It is customizable using a configuration file, which lets the user of the ransomware change characteristics such as the ransom note and the attacked file extensions. This makes it possible for many different threat actors to use the same ransomware for different purposes and targets, each attack/campaign with it's own customized "look." Cerber does not need to connect to the control and command server to initiate file encryption, it can encrypt in offline mode.

Cerber authors have used an interesting scare tactic to get victims to pay - some versions included a script with an audio file that would repeat a verbal message over and over again, saying that all of the victim's files had been encrypted. Some ransom notes delivered verbal messages that quoted the Latin phrase "Quod me non necat me fortiorem facit" (What doesn’t kill me, makes me stronger).

A new development of the ransomware potentially gives it botnet-creating capabilities, which can be used for DDoS attacks. Researchers at Invincea have seen a new variant of the ransomware quietly sending out huge amounts of network traffic from infected machines. Although this new feature has not yet been used for a full-scale DDoS attack, this is a dangerous new capability for this particularly powerful and insidious ransomware.

ThreatSTOP customers are protected from Cerber.