Cerber on the prowl: Spiking Ransomware raises the bar on Endpoint Threat Visibility

Cerber on the prowl. As if a blaring message that said, “Your files are encrypted!” wasn’t scary enough, the cybercrime group behind the Cerber Ransomware sends victims a cryptic audio message with instructions to pay up around 1.24 bitcoins for decryption.

Cerber, the encryptor named after the mythological beast Cerberus, is sold through some covert Russian channels and has now been used to exploit a macros zero-day in Office 365.

It’s barely three months since Microsoft hardened security controls for macros on Microsoft Word when Locky took the world by storm and here we go – another ‘improvised’ macros-based Ransomware traps over a million Office 365 users in two days.



The payload begins execution once the victim enables macros as instructed by the malicious word document:


Image source: Avanan
Image source: Avanan


The Locky Ransomware that surfaced in February this year tricked users into enabling macros to read a scrambled word document that was sent through an email attachment. In the aftermath, Microsoft released an updated that allowed system administrators to restrict the scope of macros use to  “a set of trusted workflows”.

Until now, Ransomware attacks that were targeting random individual users are now advancing into corporate networks through the widely-used Office 365 software. Deducing from recent incidents, they seem to have locked their targets and baited their line. Cerber itself was first seen in March 2016 in malvertising incidents leveraging a Flash Plugin zero-day, but is now apparently weaponized in enterprise-scale attacks, engineered with functionality to morph every 15 seconds to remain stealthy.

Avanan, the cloud security provider for Microsoft, Google, Amazon AWS and a dozen other top cloud platforms has remarked on how easy it would be to create different variants of this exploit kit to attack Microsoft again.


Don’t fall prey

  1. Make sure your enterprise software and plugins are up-to-date. Don’t ignore updates that seek to give you better control over features.
  2. Adopt least privilege tactics to limit high-risk uses of Macros and other critical features capable of greasing the wheels for backdoors.
  3. Update Email Use Policy and Internet Fraud Prevention measures in your enterprise to include emerging attack vectors.


Fundamental approaches matter.

Persistent protection cannot be built on a single system of defense, especially when mutating malware is fine-tuned for deceptive traversing. This is in fact what Avanan emphasizes in the wake of the Office 365 attack. In a blog post announcing the attack that lasted about 29 hours, Avanan clarifies that a large portion of the compromised users of cloud email services probably believed that they outsource all security concerns to the service provider, thereby slackening endpoint intrusion detection measures.

Dealing with Polymorphic malware and zero-day exploits is the domain of real-time protection layers since traditional signature-based technologies often take longer to catch up with malicious payloads than the time it takes for the malware to begin harvesting information.

Advanced malware is now authored with the ultimate goal of outwitting all major cloud email providers’ anomaly filters. This is the issue we seek to address with risk-based and intelligence-driven threat management solutions.

Defeating these ‘intelligent’ malware cannot be single-handedly managed by legacy sandboxing solutions for the simple reason that their exploit phase tends to be too inscrutable and uncertain for their detection capabilities.

Sealing such gaps then depends on intrusion detection capabilities that spot malicious files by analyzing the network behavior traced back to the points of interaction of the exploit with the system. Behavior-based threat mitigation can help foresee attack patterns, adjust baselines and seal gaps expediently. 

Enforce context-aware anti-malware practices with ease through centralized threat visibility. We’ve been helping organizations understand risks and vulnerabilities and eliminate threats with an extensive suite of competencies.


Some of our techniques for deep-level, multi-vector analysis:

  • Service & Infrastructure Monitoring
  • NetFlow Analysis
  • Network Protocol Analysis / Packet Capture
  • File Integrity Monitoring
  • Critical Asset Availability and Status Change Monitoring 



Leave a Reply

Your email address will not be published. Required fields are marked *

* Please enter the Characters - [Case Sensitive]