Cerber ransomware variants now actively try to detect and evade Canary files
Written By
Uri Sternfeld
We have recently discovered some variants of the Cerber ransomware which actively look for canary files and try to evade them, as a technique to bypass anti-ransomware technologies that use canary files. Our team created a “fix” that makes sure RansomFree and the Cybereason platform are effectively protecting against these variants.
Like any ransomware program, Cerber’s goal is to quickly encrypt files that matter to users. But Canary files interfere with that mission. These bogus files, which anti-ransomware programs place on machines, are meant to be encrypted and alert the anti-ransomware program that an attack is occurring.
To avoid encrypting canary files and triggering anti-ransomware programs, a new feature in Cerber now searches computers for anyimage file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.
While this trick might allow Cerber to evade some canary-file anti-ransomware solutions, it also makes it vulnerable - a user can “fix” any important directory against Cerber by creating an invalid image file inside it, for example by copying any non-image file to this directory and renaming it to .jpg. Cerber will assume that the file is a canary file installed by an anti-ransomware program on the user’s machine and refuse to encrypt it!
Check out the video below to see this “vaccine” in action. You’ll see Cerber running on a machine with two, nearly identical directories full of files that ransomware would typically encrypt. The only difference is that one directory contains a bogus .jpg file. As a result, Cerber does not encrypt this directory.
You may find samples of the relevant Cerber variants in the following links:
Over 15 years of experience in software design, programming and technology research. Experienced in cyber-security, computer networks, client-server architecture, web-crawling, data-mining, automation and reverse-engineering
Remember, the ransomware payload is the tail end of a RansomOps attack, and there are weeks or months of detectable activity prior where an attack can be arrested before there is impact to the target...
Attackers’ interest in targeting financial institutions aligns with larger trends that are shaping the ransomware threat landscape, like the increasing complexity of some ransomware operations–or RansomOps...
Remember, the ransomware payload is the tail end of a RansomOps attack, and there are weeks or months of detectable activity prior where an attack can be arrested before there is impact to the target...
Attackers’ interest in targeting financial institutions aligns with larger trends that are shaping the ransomware threat landscape, like the increasing complexity of some ransomware operations–or RansomOps...
Want to see the Cybereason Defense Platform in action?Schedule a Demo