The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.
Cerber's rise to the #1 spot is backed up by a flux of new versions that have been released this year, including one that includes some features that allow it to evade security products that rely on behavioral analysis and machine learning.
Furthermore, while Locky and TeslaCrypt, 2016's undisputed leaders, were distributed by one group, Cerber has adopted the RaaS model and relies on the greed and money hunger of different groups to keep its distribution going.
The constant stream of Cerber versions, the RaaS model, and the Necurs botnet dropping Locky and switching to other payloads, has allowed Cerber to rise well above other ransomware distributions.
According to the Malwarebytes "Cybercrime tactics and techniques" Q1 report, Cerber is nearing 90% in terms of ransomware distribution, very close to the all-time dominant position that TeslaCrypt had in May 2016, just before it voluntarily shut down.
But while the chart above shows distribution numbers, not all of those are infections. A similar chart is provided below by the team at ID-Ransomware, which relies on infected users that are trying to identify the name of the ransomware that has infected their computer.
This chart, covering the last ten days, also shows Cerber dominating other ransomware families, such as Spora, Shade (Troldesh), Locky, and Sage.
Statistics from Microsoft, also show Cerber as the primary ransomware infection on enterprise endpoints, taking up over a quarter of all ransomware infections.
Right now, Cerber may be dominating, but if history teaches us anything, is that this won't last long. Either the Cerber crew will shut down their operation on their own (like TeslaCrypt), or they'll move to a new business model (like the Locky/Necurs crew), or they'll end up under arrest (like BitCryptor/CoinVault). Nonetheless, they'll also be another ransomware family waiting in the shadows to take Cerber's place. Right now, that ransomware seems to be Spora.
Below are the results of a new study on ransomware awareness published today by Trustlook: