At the end of 2016 online community was arguing which ransomware is worth the name of the most dangerous cyber threat of the year – Locky or Cerber. Nevertheless, Locky was honored; the situation has changed dramatically during the past three months. Looking at the Malwarebytes Cyber tactics and techniques Q1 2017 report, we would like to ask where did the Locky go? However, no one can explain what have happened to the most dangerous virus of the year; however, malware researchers know where to find Cerber – at the top of the most active ransomware list. It seems that the second place became a motivation for the developers to do everything to make Cerber the king of ransomware.
Since the beginning of the year, Cerber’s market share kept growing from 70% in January to 90% at the end of the March. Researchers claim that the success of the ransomware is based on the new tactics to avoid antivirus detection, improved distribution techniques and the popularity of Ransomware-as-a-Service (RaaS). Nevertheless, authors of the virus stay faithful to traditional malware distribution technique – malicious spam emails – they are still updating and improving this method. We have already talked about one of the recent spam campaigns that used “Blank Slate” technique. What is more, the virus is actively spread via phishing emails that have a fake Dropbox link. Active distribution and unique methods allow Cerber to trick more computer users and take their files to hostage. Meanwhile, wannabe hackers are inspired by the success of this pest. However, lack of programming skills is not the problem anymore. They can purchase a “license” of the most dangerous virus, modify it and launch new ransomware campaigns. Thus, the selling Cerber’s code and letting others launch other variants of the virus brought the victory.
While authors of Cerber shown us advanced techniques and improvements, developers of the Locky seemed to disappear. Maybe, they celebrated their victory for too long and forgot that in order to stay number one, they need to come up with someone new. However, malware researchers did not confirm any reasons why Locky’s activity dropped down so drastically. Last year developers of the virus earned over 50 million dollars and had 70% of market share. On January 2017 its market share fell to 12% and 2% at the end of the March. Researchers suspect that this situation might be related to Necrus spam botnet which has stopped spreading Locky along with its variants. Some rumors tell that developers might have found other business opportunities, while others speculate that criminals were finally caught by law enforcements. Nevertheless, we do not have any news about hackers being locked in jail; we can celebrate a little that one of the most dangerous viruses fades out the web.
However, there’s no need to feel safe and dream about the end of ransomware business. Authors of the Cerber still taking their job seriously. Besides, new ransomware families keep emerging. According to Malwarebytes report, Spora and Sage viruses are expected to hit the spotlight this year. Both cyber infections have been spotted actively spreading during the first quarter of the year, and their features, distribution techniques and offers unique services for the victims. Obviously, it will take some time to see whether these two malware families become a competitor to Cerber or not. Hopefully, they won’t.