In its second quarterly Cybercrime Tactics & Techniques report, Malwarebytes noted huge shifts in ransomware power dynamics: Over the past three months, Cerber ransomware took over as top-dog (90% of all detections), while the once-powerful Locky ransomware has basically dropped off the map (under 2% of at the end of March).
“We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model,” the firm said, in the report. “As far as Cerber losing its crown, it is unlikely within the next quarter that any competitor will rise in market share enough to dethrone Cerber, barring something happening to the developers of Cerber and their ability to develop and distribute the ransomware.”
Brian Vecci, technical evangelist at Varonis, told us via email that Cerber is making ransomware harder to spot and stop.
“It sneaks past endpoint- and malware-detection technologies, always on the lookout for defenses designed to detect malicious files,” he explained. “This is exactly why organizations need to look inside the perimeter to defend their data against ransomware. Instead, they need to secure the data itself, placing micro-perimeters around the data by locking down access and monitoring user behavior.”
He added, “Data needs to be restricted based on a least privilege model—don't give anyone or anything access to anything that it doesn't need. When we think about ransomware, like Cerber, it is going to exploit access privileges to traverse the network and encrypt files on file systems. If someone can access a file on a shared drive and ransomware like Cerber is executing on their machine, under their identity, then that file is at risk. It doesn't matter whether we're talking about an entry-level intern or the CEO of a company; the same rule applies: does this person need this access to do their job? If not, take away their access to it and limit the damage that malicious software can do. The principle of least privilege is all about reducing and containing risk.”
Sage and Spora ransomware meanwhile also have showed signs of growth, and the firm said that their unique characteristics make it likely that they will dominate the ransomware market in Q2.
Mobile ransomware is on the rise as well: Android devices are facing a raft of baddies, including HiddenAds.LCK, which locks the device from being able to remove the app, therefore allowing for more advertisement revenue for the creators; and Jisut, a mobile ransomware family that has been spreading like wildfire.
Aside from ransomware, Malwarebytes noted that Mac security is under fire: The Mac threat landscape saw a surge of new malware and backdoors in Q1 2017, including a new Mac ransomware dubbed FindZip. First discovered on February 22, 2017, FindZip irreversibly encrypts files—the hackers behind it can’t give victims a key to decrypt it, but they lie about their ability to do so. Malwarebytes did however uncover a technique that could help get the files back.
Interestingly, there were no serious vulnerabilities disclosures in Q1 2017 and, in fact, many of the "stale" exploits utilized heavily by kits in the past are not were effective. This has forced exploit kit controllers to rely more on social engineering than technical exploitation. Still, RIG continues to have the greatest market share of the few exploit kits that are still active; Malwarebytes said that it remains on top mainly due to its lack of competition, rather than its technical sophistication.
“Distribution mechanisms are likely going to develop new features and functionality, be it through social engineering tactics utilized by exploit kits and malicious spam or from the discovery of new exploits, potentially revitalizing the exploit kit market,” the firm added.