The Cerber ransomware may be relatively new but it has already become one of the most popular weapons of choice for cybercriminals looking to extort money by encrypting data on computers and demanding payment to decrypt it. Cerber has matured so much that it's basically run like a franchise but it has evolved even further; it's now targeting databases in hopes of extorting businesses, which are considered more lucrative prey than consumers. Here's what businesses and IT administrators need to know.
According to security researchers at McAfee, the latest version of Cerber has made three important changes:
- It now alters the extensions of encrypted files to a random four characters when previously it changed them to .cerber3. The purposes of this is to make it more difficult for anti-malware scanners to detect affected files.
- It now has a cleaner, perhaps more business-friendly, digital ransom note in the form of an executable file. It's clean and professional, with detailed instructions on how to make payment to get files unlocked. Security vendors often advise against handing over any payment because there's no guarantee that cybercriminals will honour their promise to unlock encrypted files. The professional ransom note is meant to inspire confidence in victims that their files will definitely be unlocked.
- When it comes to databases, it's hard to encrypt files that are open and in use by software. The malware now attempts to stop database processes running on a target system in order to encrypt the data on it.
The third point is particularly pertinent to businesses since they are the ones that typically run databases that contain important and useful data.
For IT administrators, McAfee has this warning to give:
"Watch your database processes for unexpected stops. It might be an indication of Cerber ransomware trying to undermine file integrity. But that would be the wrong time to consider instituting good backups and applying good security practices."
In August, security vendor CheckPoint found Cerber running 161 active campaigns and launching eight new ones every day. It has successfully infected over 150,000 users worldwide.