Cerber ransomware infections have been infecting more corporate computers than home-based machines, Microsoft report reveals. 2114 infections have been uncovered inbetween December and January, all on corporate endpoints running Windows 10 Enterprise. This Windows edition is supposed to be very effective against ransomware thanks to its embedded Advanced Threat Protection exploit mitigations.
Microsoft has been fighting Cerber sinceJuly 2016, or perhaps even earlier. This is when Cerber’s authors changed the ransomware and made it target Office 365 in macro-based attacks. Microsoft also says that its ATP recognizes Cerber payloads and prevents them from being activated.
Our research into prevalent ransomware families reveals that delivery campaigns can typically stretch for days or even weeks, all the while employing similar files and techniques. As long as enterprises can quickly investigate the first cases of infection or ‘patient zero’, they can often effectively stop ransomware epidemics. With Windows Defender Advanced Threat Protection (Windows Defender ATP), enterprises can quickly identify and investigate these initial cases, and then use captured artifact information to proactively protect the broader network.
ATP will soon be upgraded in the future Creators Update to make it possible for infected machines to be isolated from the network. Execution prevention and quarantine capabilities will be added. These changes are in tune with the latest mitigation efforts Microsoft has implemented in Windows 10. The features were previously present in the about to be terminated Enhanced Mitigation Toolkit.
Cerber’s campaigns took place in two major ways: via emails containing malicious attachments and the use of RIG exploit kit.
Have a look at the detailed Microsoft explanation of a corporate Cerber attack.