The malicious activities of Cerber Ransomware started in February 2016, and have continuously evolved since then. Now it has become one of the most encountered ransomware families pushing others including Locky behind.

2. Brief:
The malicious activities of Cerber Ransomware started in February 2016, and have continuously
evolved since then. Now it has become one of the most encountered ransomware families
pushing others including Locky behind. According to the latest statistics, Cerber has the highest
share rate of 25.97%. The evolution of this malware mostly happened through distribution
process with a focus on exploit kits, compromised websites, and email distribution. It is
especially prevalent in the US, Asia, and Western Europe.
Cerber Attack
Cerber generally enters the system/ PC through spam email down-loaders or malicious web
sites. Both macros and OLE objects are used to deliver Cerber. Malware authors can
malevolently use OLE or macros to deliver malware to the victims. It has been seen that
malicious files take the help of Visual Basic Script (VBS) and JavaScript to download Cerber from
a command server.
The other infection scenario is when any user visits a malicious website that hosts an exploit kit.
It finds out the vulnerabilities of the PC and targets those vulnerabilities to inject the infection.
Eventually, this allows the exploit kit to download Cerber in the PC. Neutrino, Angler and
Magnitude exploit kits are known for distributing Cerber.

3. Like other ransomware, Cerber also encrypts files and gives recovery instructions to the victim.
Cerber instructs both in .html and .txt formats and replaces the desktop wallpaper too. In
addition, Cerber includes a synthesized audio message. What is more important is that the
ransom message gives indications to the victims about Cerber trying to show Internet as a safer
place and they do not mention about the ransom to decrypt the files. After investigation, it has
been seen that the ransom appears in the form of bitcoins.
Solution
eScan, now debuts a Proactive Behavioral Analysis Engine (PBAE) that monitors the activity of
all the processes on the Local Machine and whenever PBAE encounters an activity or behavior,
which is reminiscent of a Ransomware, a red flag is raised and the process is rendered inactive
from conducting any further damage. However, Ransomware is also known to encrypt files
residing on the network share, in such cases, when an infected non-protected system is
accessing the Network Share of a protected system and tries to modify the files residing over
there, PBAE, will immediately invalidate the network session. Besides, the below precautionary
measures are also important:
 Update your antivirus software regularly and protect your system from Malware
attacks.
 Always download apps from their official website or Google Play Store instead of
unknown sources because of unreliability.
 Download applications of a reliable app developer. In addition, check the user ratings
and reviews of the app before download.
 Ensure that all the software installed in your system are updated frequently, including
Oracle, Java and Adobe.
 Implement a three dimensional security policy in your organization, i.e. firstly
understand your requirement based on which IT Security policy would be prepared
accordingly. Secondly, educate your staff about the policy and finally enforce it.
 Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on
endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These
attachments would infect your system.
 Open emails only if you are positive about the source.
 Regularly create backup of your important files.