This old form of ransomware has returned with new tricks and new targets
A form of ransomware that was once the most popular choice among cyber criminals has made a comeback and is being used to target healthcare.
What helped make it so prolific was its ‘as-a-service’ model, whereby Cerber’s authors allowed other cyber criminals to use their code – complete with an easy-to-use service portal – in exchange for a percentage of any bitcoin made in ransom payments.
Typically, ransoms only amounted to a few hundred dollars – minuscule compared to today’s ransomware attacks demanding hundreds of thousands or millions of dollars in exchange for a decryption key – but the potency of Cerber led to a lot of victims giving in to ransom demands, providing a profitable business model for both Cerber authors and affiliates.
By 2018, it looked as if Cerber had disappeared, replaced by other forms of ransomware as cyber-criminal business models changed and attackers went after whole enterprise networks and started demanding much higher sums for decryption keys.
But Cerber is back with cybersecurity researchers at security company VMware Carbon Black identifying it as the most common ransomware targeting healthcare during 2020.
Analysis of 239 million attempted cyberattacks targeting Carbon Black customers in healthcare found Cerber to be the most common form of ransomware, accounting for 58% of ransomware attacks attempting to target the sector.
Cerber might be one of the older forms of ransomware, but the prolific way it’s being distributed by phishing emails and compromised websites suggests that it’s still effective.
“Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black.
“All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware,” he added.
Some of the other most prolific ransomware attacks targeting healthcare include Sodinokibi, VBCrypt, Cryos and VBKrypt.
Hospitals are, unfortunately, a regular target for cyber criminals distributing ransomware because healthcare relies on systems being accessible in order to provide patient care.
This sometimes leads to hospitals quickly opting to pay a ransom demand, because it’s seen as the best way to avoid compromising the health of patients – and increasingly, stopping cyber criminals from publishing stolen data, which in healthcare can be highly sensitive.
For cyber criminals, healthcare also makes an appealing target because the 24/7 nature of the sector means that it can be difficult to take parts of the network offline in order to install the relevant patches and security updates to protect against cyberattacks exploiting known vulnerabilities.
However, it’s crucial that healthcare finds a way of applying these patches. Not only can they help protect the hospital from falling victim to cyberattacks in the first place, taking part of the network offline to apply updates is going to be much less painful than the whole hospital network being taken offlie by a ransomware attack.