Cerber Ransomware Targets Millions of Users, Bypassing Microsoft’s Security Defenses


A massive attack was launched against Microsoft's Office 365 users last week, in which over 57% of companies that use the program received at least one copy of the infected emails. Using the variants of popular Cerber ransomware, criminal hackers launched a zero-day attack that was able to bypass Office 365's security checks.

Ransomware targets millions of Office 365 business users

The attack began on June 22, when attackers sent a wave of spam emails carrying malicious file attachments infected with the Cerber ransomware. A huge number of corporate systems were targeted with these emails, until Microsoft detected it after about 24 hours, and started to block the malicious file attachments. Bypassing Microsoft's security defenses, the ransomware managed to arrive in the inboxes of enterprise users of Office 365, without being detected by Microsoft's security tools.

Ransomware Targeting Windows 7 Can Now Evade Microsoft’s Best Security Defenses

In the past few months, we have seen an increasing number of cases where criminals have used ransomware to attack consumers and enterprises. The latest onslaught is possibly one of the most widespread ransomware cyber threat launched against businesses. A report from the cloud security provider Avanan revealed that the attack lasted for more than 24 hours, possibly affecting millions of Office 365 business users. "While difficult to precisely measure how many users got infected, roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack," Avanan said. Microsoft reported in the first quarter of 2016 that there are almost 18.2 million Office 365 subscribers, which means we are looking at a large-scale attack.

cerber ransomware

Cerber ransomware has been gaining popularity in the last two months, after being spotted in March for the first time. Evolving in the following months, the ransomware threat was recently seen morphing every 15 seconds to avoid detection. Like other ransomware, Cerber also encrypts user files and demands to be paid to restore data or the charge of the system back to the user. In only a few months, Cerber has become the third most detected ransomware family, behind CryptoWall and Locky.

In the latest case, Cerber was attached as a document to the spam emails and sent to Office 365 users. Victims were demanded to pay 1.24 Bitcoin (~500 USD) to get back the access to data. Avanan noted that the traditional antivirus and anti-malware applications were not able to detect this attack. If you are thinking about unlocking the locked data yourself, it is next to impossible too, since Cerber uses AES-265 and RSA encryption, "which is currently unbreakable."

In the last two months, we have seen these attacks, shifting their target from individuals to enterprises. Apart from some educational institutes, we also saw Congress blocking Yahoo Mail and Google Services after these ransomware attacks. While educating business users about best security practices, it should also be a recommended security approach for enterprises to combine multiple security tools to beef up their system security, instead of just relying on over-the-counter security tools.