2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.

As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.

Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.

The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.

Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.

The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.

With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.

All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.

Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.