The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.

Cerber's rise to the #1 spot is backed up by a flux of new versions that have been released this year, including one that includes some features that allow it to evade security products that rely on behavioral analysis and machine learning.

Furthermore, while Locky and TeslaCrypt, 2016's undisputed leaders, were distributed by one group, Cerber has adopted the RaaS model and relies on the greed and money hunger of different groups to keep its distribution going.

Backend panel for Cerber ransomware RaaS
Backend panel for Cerber ransomware RaaS [Source: David Montenegro]

The constant stream of Cerber versions, the RaaS model, and the Necurs botnet dropping Locky and switching to other payloads, has allowed Cerber to rise well above other ransomware distributions.

According to the Malwarebytes "Cybercrime tactics and techniques" Q1 report, Cerber is nearing 90% in terms of ransomware distribution, very close to the all-time dominant position that TeslaCrypt had in May 2016, just before it voluntarily shut down.

Cerber distribution in the first months of 2017
Ransomware distribution in the first months of 2017 [Source: Malwarebytes]

But while the chart above shows distribution numbers, not all of those are infections. A similar chart is provided below by the team at ID-Ransomware, which relies on infected users that are trying to identify the name of the ransomware that has infected their computer.

This chart, covering the last ten days, also shows Cerber dominating other ransomware families, such as Spora, Shade (Troldesh), Locky, and Sage.

Cerber infections in the lst 10 days
Ransomware infections in the last 10 days [Source: MalwareHunterTeam]

Statistics from Microsoft, also show Cerber as the primary ransomware infection on enterprise endpoints, taking up over a quarter of all ransomware infections.

Ransomware encounters on enterprise endpoints
Ransomware encounters on enterprise endpoints [Source: Microsoft]

Right now, Cerber may be dominating, but if history teaches us anything, is that this won't last long. Either the Cerber crew will shut down their operation on their own (like TeslaCrypt), or they'll move to a new business model (like the Locky/Necurs crew), or they'll end up under arrest (like BitCryptor/CoinVault). Nonetheless, they'll also be another ransomware family waiting in the shadows to take Cerber's place. Right now, that ransomware seems to be Spora.

Below are the results of a new study on ransomware awareness published today by Trustlook:

  • 48% of consumers are not worried about becoming a victim of a ransomware attack
  • 17% of consumers have been infected with ransomware
  • 38% of affected consumers paid the ransom
  • $100-$500 was the dollar range of ransomware payouts by consumers
  • 45% of consumers have not heard of ransomware
  • 23% of consumers do not backup the files on their computer or mobile device
  • 7% of non-impacted consumers say they would pay the ransom if they were hacked