Vaccine discovered for Cerber ransomware - based on its own evasion
Vaccine discovered for Cerber ransomware - based on its own evasion

Security researchers have discovered previously undocumented behaviour of existing strains of Cerber ransomware that could help in “vaccinating” a system's files and folders.

According to researchers at Cybereason, the behaviour was discovered through Cybereason's free anti-ransomware tool RansomFree. It was found that when cyber-criminals attempted to hack RansomFree, it backfired and instead resulted in a possible directory-specific “vaccine” that preventing the ransomware from decrypting files.

In a YouTube video, researchers demonstrate how the process works.  Cerber searches computers for any image file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files that are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.

While this trick might allow Cerber to evade some canary-file anti-ransomware solutions, it also makes it vulnerable - a user can “vaccinate” any important directory against Cerber by creating an invalid image file inside it.

Pieter Arntz, Malware Intelligence researcher at Malwarebytes, told SC Media UK that to  protect specifically against Cerber, it could be used, but there are already so many tricks like this (some effective, some not) that can be found on the internet it would be very cumbersome to apply all of them.

“For example, installing a Russian keyboard which helps against some attacks, or having your machine pretend to be a Virtual Machine also helps, in some cases. Applying a lot of these techniques would be more work than whitelisting which programmes are allowed to run which is far more efficient,” he said.

Jamie Moles, security consultant at Lastline, told SC Media UK that tricks like this to 'vaccinate' against malware are not new. 

“Back in the early 1990s, MS-DOS computer viruses often used tricks such as setting the 'file created date' of files to something impossible (31st February for example) to stealthily mark them as already infected,” he said. “The problem is that these tricks are not very reliable - interactions with other programs can break them, malware researchers can discover them and none of them have ever lasted as a realistic protection model.”

Chris Doman, security researcher at AlienVault, told SC Media UK, that Cerber skipping folders with invalid images is an interesting piece of malware analysis, but not much help in the real world.

“If the technique became popular, then the attackers would change this check. And there are thousands of variants of ransomware - it's not scalable to apply local tricks to stop each one,” he said. “When "vaccines" for Locky ransomware became public, the malware authors quickly changed their code so the vaccine no longer worked.”

“That said, it's great that Cybereason and other companies are releasing ransomware specific security applications for free.”

Bromium EMEA CTO Fraser Kyne told SC Media UK that as more variants of malware appear that are designed to evade detection, organisations simply can't rely on the same detection-based approach. “Instead, companies should be looking to solutions that don't just try to trick malware, but actually allow it to execute in a completely isolated, secure environment, removing the risk entirely from common attack vectors like malicious documents and zero day exploits.”