Cerber ransomware can now detect virtual machines to prevent analysis

[Danielx64]

One of the most infamous strains of ransomware has evolved, gaining the ability to prevent detection from cybersecurity tools, making it much harder for the malicious software to be analyzed.

The Cerber ransomware was discovered in early 2016. Aside from the typical behavior of encrypting victims' files, the malware also packs a .vbs file, which speaks out its ransom note to further scare those that have been infected.

Furthermore, using a set of assigned Command & Control (C&C) servers, the cybercriminals behind the ransomware have made it possible for almost anyone to distribute Cerber. They earn if they are successful in infecting their victims, with the developer getting 40% of the profit, and the affiliate getting 60%.

Hope someone finds a way to get around the analysis issues.

 

[Amelith Nargothrond]

Hope someone finds a way to get around the analysis issues.

Cerber dudes, we also have the hosts and macrium (or many other). You adapt, we adapt.

 

[Danielx64]

Cerber dudes, we also have the hosts and macrium. You adapt, we adapt.

Of course but not everyone has a second pc

 

[Amelith Nargothrond]

And also, the detection of a vms goes to one line of code. It's a pretty old trick. Not a big deal anyway.

 

[Amelith Nargothrond]

Of course but not everyone has a second pc

That's true unfortunately. But they are not smarter than us, i believe we can defeat this, even though it might take more time to perform an analysis cycle.
For those with PCs, I'm thinking having a second hard drive for this. But this idea, for those with laptops... things might get really annoying...

 

[Amelith Nargothrond]

Or another idea would be a solution like Deep Freeze:

Deep Freeze Standard Download
Computer Restore Software for Windows PCs | Deep Freeze Standard

So they detect this as well?

 

[Danielx64]

Or another idea would be a solution like Deep Freeze:

Deep Freeze Standard Download
Computer Restore Software for Windows PCs | Deep Freeze Standard

So they detect this as well?

Considering that it (deep freeze) uses drivers, anything possible. Great question though!

 

[Amelith Nargothrond]

Considering that it (deep freeze) uses drivers, anything possible. Great question though!

And Deep Freeze has been among us for a very long time, they might have some sorts of detection for this as well. Maybe the other guys from here can answer, i really can't think of a better place to ask

 

[Danielx64]

And Deep Freeze has been among us for a very long time, they might have some sorts of detection for this as well. Maybe the other guys from here can answer, i really can't think of a better place to ask

Indeed, if I recall correctly they been around since the windows 3.1/95 days. Heck I even remember an anti deep freeze software that would disable the thing when you forgot the password

 

[Amelith Nargothrond]

I remember the time when Deep Freeze was used in cybercafes and schools. Mine did use it. It was a pain in the ass occasionally, we did not have UPSs, and you can imagine the frustration of rewriting everything from the beginning after a power outage.

 

[Amelith Nargothrond]

And those were the times when the school used BNC connectors for network connections (that was the standard), but deep freeze was there and it worked

 

[Peter2150]

I've not played with deep freeze, but I routinely use SHadoe Protect. I've considered running Shadowed all the time. Would completely eliminate the need for any anti ransomware software. I ran Goldeneye and a Cerber sample against ShadowDefender. Goldeneye forced a reboot and the system was fine.

When I did a test for a well known vendor against ransomware, I did it on real hardware. All three disks were shadowed, and I let the ransware encrypt everything. Exiting shadow mode and rebooting and I had a clean system.

 

[Handsome Recluse]

Cerber dudes, we also have the hosts and macrium (or many other). You adapt, we adapt.

What about when they can detect Macrium Reflect? Boom! GG.

 

[Amelith Nargothrond]

What about when they can detect Macrium Reflect? Boom! GG.

I think we can uninstall Reflect and clean the registry before running the ransomware (?). Worth a try if they do this

 

[frogboy]

Cerber dudes, we also have the hosts and macrium (or many other). You adapt, we adapt.

Long live Macrium Reflect the saviour to all, or at least it should be.

 

[Solarquest]

Interesting to read Trend article.
Cerber Starts Evading Machine Learning - TrendLabs Security Intelligence Blog
"
The lists below highlight the specific tools and products this software checks for:

Analysis Tools

• Msconfig
• Sandboxes
• Regedit
• Task Manager
• Virtual Machines
• Wireshark

Security vendors

• 360
• AVG
• Bitdefender
• Dr. Web
• Kaspersky
• Norton
• Trend Micro"

 

[Rodney74]

Cerber dudes, we also have the hosts and macrium (or many other). You adapt, we adapt.

"You adapt, we adapt"... REMINDS ME OF.

"Empty your mind, be formless, shapeless like water if you put water in the cup it becomes the cup" ...

 

[Rodney74]

What about when they can detect Macrium Reflect? Boom! GG.

Tough because my Macrium Images are on 2 local drives, and 2 separate detached, external drives.

IF they can touch those 2, they know magic.

 

[Winter Soldier]

Many malware check if they run virtualized or under a debugger, and they act as a result, to make more complex the dynamic analysis, or to deceive the analyst by imitating a non-malicious code, when parsed, and therefore not useful for the analysis.
In our case, it is necessary to understand which functions Cerber uses to detect the VM and if it detects just the VM, or even light virtualization environments such as Shadow Defender.

One clarification, some of the malware just go into sleep mode in the VM, but others look for flaws in the virtualization software/hypervisors, but they are quite rare and it is rare that they are being exploited.

 

[HarborFront]

How about installing snapshot/rollback software on a USB stick? Would this help?