Home > Ransomware > Cerber Ransomware Corporate Attacks Explained by Microsoft

Cerber Ransomware Corporate Attacks Explained by Microsoft

Cerber ransomware infections have been infecting more corporate computers than home-based machines, Microsoft report reveals. 2114 infections have been uncovered inbetween December and January, all on corporate endpoints running Windows 10 Enterprise. This Windows edition is supposed to be very effective against ransomware thanks to its embedded Advanced Threat Protection exploit mitigations.

Microsoft has been fighting Cerber sinceJuly 2016, or perhaps even earlier. This is when Cerber’s authors changed the ransomware and made it target Office 365 in macro-based attacks. Microsoft also says that its ATP recognizes Cerber payloads and prevents them from being activated.

Related: Old Computers Make Users Drink and Shout, Microsoft Survey Says

Microsoft wrote:

Our research into prevalent ransomware families reveals that delivery campaigns can typically stretch for days or even weeks, all the while employing similar files and techniques. As long as enterprises can quickly investigate the first cases of infection or ‘patient zero’, they can often effectively stop ransomware epidemics. With Windows Defender Advanced Threat Protection (Windows Defender ATP), enterprises can quickly identify and investigate these initial cases, and then use captured artifact information to proactively protect the broader network.

ATP will soon be upgraded in the future Creators Update to make it possible for infected machines to be isolated from the network. Execution prevention and quarantine capabilities will be added. These changes are in tune with the latest mitigation efforts Microsoft has implemented in Windows 10. The features were previously present in the about to be terminated Enhanced Mitigation Toolkit.

Cerber’s campaigns took place in two major ways: via emails containing malicious attachments and the use of RIG exploit kit.

Related: New Version of Rig Exploit Kit Is Being Developed

One of the latest versions of RIG was reported to cause infections via Microsoft software last August. One of those exploits was reported by Eduard Kovacs at Secrutiyweek.com to be the CVE-2016-0189. This type of vulnerability allowed for a remote execution type of attack which took advantage by executing JavaScripts as well as VBScripts.

Have a look at the detailed Microsoft explanation of a corporate Cerber attack.

Related: Decrypt Files Encrypted by Cerber Ransomware

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *