Malwarebytes Labs has just reported that the market share of one of the most active malware families during the past year – Cerber ransomware, has increased to 87% in the first quarter of this year.
In January, Cerber ransomware accounted for 70% of the market, however, the presence of the threat jumped up significantly over the next two months.
The Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report states that at the same time, there was a significant decrease in Locky attacks, from 12% in January to less than 2% in March.
Eventhough Locky was fading away, the new Sage and Spora ransomware families got some market share instead.
Currently, Cerber is considered as the ransomware chartbreaker in its category, and its market domination is compared with the one of TeslaCrypt over the first half of 2016.
During the past few months, the distributors of Cerber used various methods to distribute the infection, including exploit kits, as well as the Apache Struts 2 vulnerability.
Earlier this year, the security experts noticed that the Kovter click-fraud Trojan was delivering Cerber ransomware, after Betabot was delivering it the past September.
Later on, the creators of Cerber did their best to improve the threat by adding a machine learning evasion capabilities, and by improving the anti-sandboxing functionality.
Not long ago, security researchers from Cyphort found out that Cerber was leveraging process hollowing for infection, where a suspended process is created and the ransomware’s code is injected in it.
“Just like TeslaCrypt, Cerber has risen to the top of the ransomware market, leaving all competitors in its dust. Again, like TeslaCrypt, Cerber can just as easily become yesterday’s news. However, there are a few factors at play with Cerber that could make its future different than that of families like TeslaCrypt and Locky,” Malwarebytes Labs says.
The fact that Cerber is available as a Ransomware as a Service (RaaS), means that the threat is available even for hackers without coding knowledge, but who can get involved in the malware distribution. The infection also includes offline encrypting, military-grade encryption, as well as different features attracting the cybercriminals.
Over the first quarter of this year, the malware landscape has been affected by other changes as well, like the emergence of new macOS malware and backdoors, featuring the new FindZip ransomware. Besides, the security experts registered the first macro malware against Mac devices.
Meanwhile, the RIG exploit kit keeps dominating its threat segment and it’s expected to continue to do so, due to the fact that currently there are only a few active toolkits and the competition is minimal.
The Malwarebytes researchers also report that multiple spam campaigns have been registered during the first quarter of this year, including abused password-protected Office documents, in an attempt to evade auto analysis sandboxes. For instance, the Ursnif banking Trojan was noticed using such documents in numerous spam campaigns all over the world.