The criminal group behind the Cerber ransomware has been extremely busy at the start of April and the end of May, according to a recentfrom Israeli security firm Check Point.
Cerber is a new ransomware strain that appeared at the start of the year and is believed to be the creation of a Russian team of developers. The ransomware’s trademark is the usage of a TTS (Text-To-Speech) API to read out its ransom note to infected users.
Since then, the ransomware has constantly evolved to add new features, a dead giveaway that an organized cyber-crime group was behind the ransomware, with the financial and human resources to keep Cerber updated.
Cerber distribution takes place in waves
What was strange about Cerber was the fact that the people behind this malware didn’t run permanent operations. The crooks sent out a giant wave of spam for a few days, then usually took a break for a week or more.
Check Point says that the two most recent waves were bigger than usual, something that they took notice. The first wave took place between April 4 and 18, while the second took place between May 20 and 31.
Crooks sent out a large number of email spam that contained Office documents with malicious macros that were downloading and installing the ransomware.
Users in the US, Turkey and the UK were the most affected
This particular campaign hit users in the US the hardest, with 41 percent of all targets residing in that country. Second were users in Turkey, followed by the UK, Israel, and Taiwan.
What is extremely strange was the fact that the second Cerber ransomware spam flood perfectly overlapped withthat occurred at the same time.
ESET and Proofpoint reported about a large number of email spam delivering ZIP archives with malicious JS files inside that were downloading and installing the Locky ransomware. At the time of writing, there is no evidence of a connection between the crooks delivering Locky and Cerber.