After being quiet for years, Cerber is back with a vengeance. In 2020 it was one of the most serious cyber threats being faced by the healthcare sector. In the second half of 2020 alone, more than 21.3 million healthcare records were breached. This is an increase of 177% from the 7.7 million records breached in the first half of the same year. There is currently no means to decrypt files infected with Cerber for free.
In 2017, Cerber was an extremely popular ransomware application amongst cybercriminals. It was the dominant ransomware software accounting for 90% of all Windows-based ransomware attacks. Then in 2018, Cerber went quiet, leading security researchers to think that Cerber had died. However, it came back last year with new tricks up its sleeves.
“Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black.
The ransomware is named after the Greek mythological monstrous multiheaded watchdog, Cereberus, that guards the gates of the Underworld to prevent the dead from leaving. Cerber uses the ransomware-as-a-service (RaaS) model. In such a model, cybercriminals purchase the software from the ransomware’s developers to extort money from victims. The ransomware is often purchased using untraceable cryptocurrency. They then pay a percentage of what they extort to the developers for the use of their software.
Cerber is easily purchased on the dark web. It is being sold to distributors mainly on underground Russian forums.
Cerber often takes advantage of unpatched software vulnerabilities or is spread via malicious email attachments. It can prevent antivirus tools from detecting it and uses strong RSA encryption. There is currently no means to decrypt files infected with Cerber for free.
Exponential Increase in Attacks on Healthcare Sector
According to a report from CI Security, in the second half of 2020 more than 21.3 million healthcare records were breached. This constitutes an increase of 177% from the 7.7 million records breached in the first half of the same year.
The report states that the Covid-19 pandemic saw the healthcare sector scrambling to bring more systems online to care for the increase in patient numbers. This sometimes happened at the expense of cybersecurity, which led to the creation of several security holes in infrastructure networks.
Another factor in the huge increase in attacks on the healthcare sector was due to their use of SolarWinds software. This left them open to the same security risks facing Fortune 500 companies, the US military and government agencies.
Other research noted that cyberattacks on healthcare organizations increased by an enormous 9,851% compared to 2019. That makes about 816 attempted cyberattacks per healthcare endpoint, or 239.4 million attacks in total.
Cerber Most Common Ransomware Targeting Healthcare
Cybersecurity researchers at VMWare Carbon Black identify Cerber as the most common ransomware targeting the healthcare sector in 2020. It accounted for 58% of the ransomware attacks. Other prolific ransomware groups targeting healthcare in 2020 included REvil, aka Sodinokibi, (16%), VBCrypt (14%), Cryos (8%) and VBKrypt (4%).
Cerber, like other ransomware groups, attack the healthcare sector because healthcare organizations are seen as easy targets. These organizations, such as hospitals, rely on systems being accessible so as to provide patient care. Consequently, they are often more willing to pay ransoms in order to regain access to their files than other organizations. They also often opt to pay the ransom so cybercriminals won’t publish stolen data on the dark web. As healthcare records are very sensitive, this would compromise the privacy of their patients.
Another reason why the healthcare sector is a prime target for Cerber, is the 24/7 nature of their business. Since they are open around the clock, it can be difficult for hospitals to take parts of their systems offline to install patches and security updates. However, these are crucial in protecting hospitals from falling victim to cyberattacks that exploit known vulnerabilities.