By Marvelous Pelin and Gilbert Sison
CERBER is aransomware family that has seen its share ofunusual features since its appearance early last year. From its useofaudiowarnings, to the targeting ofcloud platformsanddatabases, to distribution viamalvertising, emailed scripting files , andexploit kits, CERBER has always been willing to keep up with the times, as it was. One reason for its apparent popularity may be the fact that it is sold in the Russian underground, giving a wide variety of cybercriminals access to it.
However, we’ve started seeing CERBER variants (which we detect asRANSOM_CERBER.F117AK) add a new wrinkle to their behavior: they have gone out of their way to avoid encrypting security software. How did they do this?
Normally, ransomware’s goal is to encrypt the data on a system and leave the applications intact. Files in folders where applications are typically installed and where the operating system is located are usually whitelisted by ransomware and not encrypted. Only files with specific extensions are encrypted, which normally excludes executable files as well.
The new CERBER variants go above and beyond this by checking if any security products are installed on the system.The built-in windows Management Interface (WMI) is “the infrastructure for management data and operations on Windows-based operating systems”. In effect, it is a powerful tool used for (as the name implies) sharing system management information. This frequently includes software, including security products.
CERBER queries for the contents of three WMI classes: FirewallProduct, AntiVirusProduct, and AntiSpywareProduct . As the name implies, these are for firewalls, antivirus, and antispyware products. CERBER extracts the directories where these are installed and adds them to the list of whitelisted folders, which are spared from any encryption.
Figures 1 and 2. Code for detecting security products
It’s not clear what the immediate goal of this behavior is. The typical directories for software installation of any kind in Windows are typically already part of the whitelist. Similarly, executable files such as those with .exe or .dll extensions are not targeted for encryption either. For now, it appears that the attackers only want to be triply sure that security software is not encrypted.
Aside from this security software detection, the behavior of these variants is similar to other CERBER variants, with a ransom demand of 1BTC (approximately US$1,000), which doubles in price to 2 BTC after five days). The infection vectors are also similar.
Figures 3. CERBER ransom demand
Trend Micro SolutionsTo address ransomware, reacting to threats as they occurisn’t enough. Strategic planning and a proactive, multilayered approach to security goes a long mile― from thegateway, endpoints ,networks, andservers.
Trend Micro endpoint solutions such asTrend Micro Smart Protection Suites , andWorry-FreeBusiness Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLsTrend Micro Deep Discovery has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro OfficeScan withXGen endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware.
Trend Micro Ransomware Solutions
