Cerber Sets Sights on Corporate Databases

Notorious ransomware Cerber appears to have changed focus of late, and now represents a major threat to corporate databases, according to security experts.

Previously aimed mainly at consumers, the malware has been tweaked so that it now encrypts files by changing the extension not to .cerber3 but four random characters.

This makes it more difficult to scan for affected files, according to Intel Security cybersecurity strategist, Matthew Rosenquist.

Second, the ransom note and payment instructions are now displayed in a more professional looking window, thanks to the addition of an HTML file. This is intended to give the victims greater confidence that if they pay up, they’ll get their decryption key, Rosenquist claimed.

“Finally, and most important, the malware now attempts to stop database processes running on the target system so it can encrypt the data,” he added. “This is a significant shift in focus from consumers to businesses, which typically run databases containing important operational data. When database files are open and in use by software, they cannot easily be encrypted. Cerber attempts to close the database software so the files can be encrypted.”

Rosenquist urged IT administrators to monitor database processes for any unscheduled stops which might indicate a Cerber infection.

“The best strategic cybersecurity capability process includes elements to Predict, Prevent, Detect, and Respond to risks. This holds true for protection against ransomware,” he concluded. “A solid data backup/restoration capability is important, as is quality anti-malware to block attacks.”

The ransomware itself is now available as a service on the darknet, with individuals required to share 40% of the profits with the malware’s developers in return for a highly user friendly platform with no overheads.

It is believed to be based in Russia because it’s coded to avoid systems configured in the Russian language, but still manages to haul in between $1 million and $2.5m per year from victims all over the world. 

That figure is set to grow even higher now that the ransomware is targeting corporate victims.

What’s Hot on Infosecurity Magazine?