Cerber Ransomware Expands Database Encryption Attacks

Trend Micro researchers discover that the popular Cerber ransomware family has a new version that is going after database files to cause the most trouble for victims.

Ransomware authors aim to make money by encrypting user files and then demanding that users pay a ransom for the safe return of their data. According to new research published Nov. 22 by security firm Trend Micro, the recent Cerber 4.1.5 ransomware release is going beyond just user files and is encrypting databases.

"Cerber scans for database files and encrypts them when it finds them," Jon Clay, director of global threat communications at Trend Micro told eWEEK. "Note that in some cases it will terminate the database processes to ensure it can encrypt the files that were in use."

According to Trend Micro's research, Cerber 4.1.5's configuration file includes a list of the types of files it aims to encrypt including database files from Microsoft Access, Oracle, and MySQL as well as files related to accounting, payroll, and health care database software.

Clay explained that Cerber uses similar encryption technologies that are used by most other ransomware families. He added that the main difference is that Cerber's targets database files while other ransomware families focus on documents, pictures, videos and backup files.

Ransomware attacks overall continue to be a major concern for most organizations. A report from security firm SentinelOne published on Nov. 18 found that over the past 12 months, 50 percent of organizations have responded to a ransomware campaign. Kaspersky Lab reported that 821,865 Kaspersky users were attacked by some form of ransomware in the third quarter of 2016.

While Ransomware attacks are common, a report from Check Point Software released in August looking specifically at Cerber found that only 0.3 percent of victims end up paying the ransom.

With the new Cerber 4.1.5 update, Trend Micro has found that the ransomware authors are now demanding a cheaper ransom than they were previously asking.

"Most ransomware currently averages one to two bitcoins for the ransom," Clay said. "It appears the actors behind this version have chosen to decrease that amount."

As of Nov 22, one bitcoin is worth approximately $747 U.S dollars. Clay added, however, that Cerber allows customization of the ransom for whomever is using it, so it is really up to the actor(s) behind it to decide how much they want to charge.

"We have not seen any evidence of the cheaper amount leading to more payments," Clay said.

Overall the expectation from Trend Micro is that Cerber ransomware will continue to evolve as the attackers adjust their delivery methods, infection vectors and ransom demands. Clay noted that the authors of Cerber have been very active in updating their malware regularly, with four versions released since March.

There are a number of things that organizations and end-users can do to help mitigate the risk of being the victim of a Cerber ransomware attack. Clay commented that as with most ransomware attacks, the missing piece appears to be an over-reliance on endpoint security to detect malware.

"If endpoint security is utilized as a primary defense, then a cross-generational approach that includes both traditional and newer technologies like high-fidelity machine learning can improve detection of ransomware," Clay said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.