This article is more than 1 year old

Cerber tops Windows 10 ransomware charts

Crims aimed for a Christmas Number One and scored

Net scum behind the Cerber ransomware have been pounding enterprises infecting more corporate machines than any other, according to Microsoft.

Some 2114 infections have been discovered from December to January on corporate endpoints operating Windows 10 Enterprise, an operating system that Microsoft boffins says breaks the ransomware exploit chain thanks to its embedded Advanced Threat Protection exploit mitigations, an otherwise paid service.

Redmond has fought Cerber since at least July 2016 when the ransomware's authors tweaked their flagship to target Office 365 using old-school macros.

The company says its threat protection module recognises Cerber payloads and those of others, including likely emerging forms, and prevents the exploits firing.

The module will be upgraded in the upcoming Creators Update to allow compromised machines to be isolated from the network, and execution prevention and quarantine capabilities.

The capability appears much in line with the effective exploit mitigation efforts Microsoft has baked into Windows 10. Those features used to come with the soon-to-be dead Enhanced Mitigation Toolkit.

Microsoft dredged up the Cerber infection numbers to plug its premium exploit mitigation after it revealed in December a campaign by the malware group to hose holiday shoppers.

That campaign took two forms: emails with purported delivery messages that contained malicious attachments, and; heavy use of RIG, the current champion in the ever-evolving exploit kit market.

Redmondian security wonks explained its Advanced Threat Protection in a technical analysis of a Cerber infection in which they show a customer running the first stage macro which then used PowerShell to pull a secondary component that held the payload.

Ransomware encounters on enterprise endpoints

The Ceber payload was blocked and four alerts were generated to provide the security operations centre with command and control IP address data and Cerber payload information to help block emerging variants.

Ransomware variants Genasom and Locky took second and third place for attacking Windows 10 Enterprise boxes with about 1000 infections a piece.

Security folks do not appear to have published tools that would exploit weaknesses in the latest Cerber to enable victims to decrypt their files for free, meaning enterprises are forced to restore data from backups or pay ransom demands.

Important reverse engineering work is conducted largely by white hat hackers working under the No More Ransom Alliance, along with laudedable independent efforts by researchers and security firms. ®

More about


Send us news

Other stories you might like