IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cerber dominates ransomware attacks against businesses

Windows 10 Enterprise customers are able to use threat detection features to locate 'patient zero' machines

Red skull and crossbones atop binary code

The Cerber family contributed to the largest number of ransomware attacks against enterprise systems in 2016, according to Microsoft research.

Of the myriad of ransomware attacks over the course of the year, Cerber accounted for 26% of these, some 2,114 infections on systems using Windows 10 Enterprise operating systems.

Cerber was found to be particularly active in November last year when attackers using the ransomeware strain ran a campaign against businesses taking advantage of the holiday season.

Microsoft has said that thanks to its robust threat protection, Windows 10 Enterprise is able to recognise Cerber attacks before payloads could be delivered, breaking the chain of self-replicating attacks that would normally compromise an entire system.

Through Windows Defender Advanced Threat Protection (Windows Defender ATP), a bundled service which is otherwise a paid extra, enterprise customers are able to locate 'patient zero' machines and stop a ransomware epidemic before it takes hold.

Cerber typically operates by tricking a user into downloading a document to their downloads folder from an email. Once the document is opened, an embedded macro is triggered which launches a PowerShell command, which then connects to a TOR anonymisation website to download a ransomware payload.

In an example test of a customer running the initial macro, Windows Defender ATP was able to identify the PowerShell command and track the source IP address from the TOR site and block it in a firewall.

"Windows Defender ATP generated at least four alerts during the infection process, providing a breadth of detections that helps ensure coverage for changing techniques between Cerber versions, samples, and infections instances," said Tommy Blizard, a researcher on the Windows Defender ATP team.

These alerts are built up using machine learning and extensive research of different ransomware instances and their related families, according to Microsoft.

With the upcoming Creators Update, Microsoft has promised to take "its capabilities one step further" by enabling the network isolation of any machines found to have issued this PowerShell command to receive payloads.

Ransomware families belonging to Genasom and Locky accounted for 14% and 11% of attacks respectively, while lesser-known variants Critroni and Troldesh made up just 6%. 

In August 2016, security research firm Malwarebytes revealed that over 40% of businesses across the UK, US and Canada had been targeted by ransomware, with a 259% increase in exploit kits in the first five months of the year.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

28 Jul 2022
Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
How to reinstall Windows 10 without losing data
Microsoft Windows

How to reinstall Windows 10 without losing data

18 Jul 2022
How to make a printer shortcut in Windows 10
Microsoft Windows

How to make a printer shortcut in Windows 10

18 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022