Cerber Ransomware Now Targets Businesses By Encrypting Databases

Cerber Ransomware Now Targets Businesses By Encrypting Databases
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

The Cerber ransomware may be relatively new but it has already become one of the most popular weapons of choice for cybercriminals looking to extort money by encrypting data on computers and demanding payment to decrypt it. Cerber has matured so much that it’s basically run like a franchise but it has evolved even further; it’s now targeting databases in hopes of extorting businesses, which are considered more lucrative prey than consumers. Here’s what businesses and IT administrators need to know.

According to security researchers at McAfee, the latest version of Cerber has made three important changes:

  • It now alters the extensions of encrypted files to a random four characters when previously it changed them to .cerber3. The purposes of this is to make it more difficult for anti-malware scanners to detect affected files.
  • It now has a cleaner, perhaps more business-friendly, digital ransom note in the form of an executable file. It’s clean and professional, with detailed instructions on how to make payment to get files unlocked. Security vendors often advise against handing over any payment because there’s no guarantee that cybercriminals will honour their promise to unlock encrypted files. The professional ransom note is meant to inspire confidence in victims that their files will definitely be unlocked.
  • When it comes to databases, it’s hard to encrypt files that are open and in use by software. The malware now attempts to stop database processes running on a target system in order to encrypt the data on it.

The third point is particularly pertinent to businesses since they are the ones that typically run databases that contain important and useful data.

For IT administrators, McAfee has this warning to give:

“Watch your database processes for unexpected stops. It might be an indication of Cerber ransomware trying to undermine file integrity. But that would be the wrong time to consider instituting good backups and applying good security practices.”

In August, security vendor CheckPoint found Cerber running 161 active campaigns and launching eight new ones every day. It has successfully infected over 150,000 users worldwide.



  • Surely if they did not honour payments there would be stories everywhere stating that you should never do it.

    • I’ve heard security experts recommend paying the ransom. But I think a lot of vendors want to cover their own butts by recommending against paying, just in case customers don’t get their data back. That’s just my opinion.

      • I personally know of a few cases where the hackers did not release the key after payment, in one case after the ransom was paid the criminals realized that the target was a business server so they demanded a huge amount on top of that which the victim then refused to pay.

Show more comments

Comments are closed.

Log in to comment on this story!