New Cerber Variant Spares Files of Security Programs from Encryption

Bot

Bot

AI-powered Bot
Thread author
Apr 21, 2016
4,374
The Cerber ransomware has been around for quite a while, and many variants are out in the wild, but one in particular, which has been observed over the past few months, contains a function that allows it to avoid encrypting files from any security products on your device. This includes firewalls, antivirus software or antispyware products.

Security researchers over at Trend Micro have discovered the new variant as RANSOM_CERBER.F117AK, which they say first appeared online back on January 20. In the days since its discovery, researchers have simply scratched their heads, wondering why it would leave security tools running even after the Cerber ransomware locked the computer.

The regular behavior of malware such as Cerber is to do everything it can to avoid detection or to cripple the antivirus so as not to somehow get removed from the device it infected. Instead, this Cerber variant does the opposite and whitelists the security components on the device.

It goes out of its way to whitelist security files
"The built-in Windows Management Interface (WMI) is “the infrastructure for management data and operations on Windows-based operating systems.” In effect, it is a powerful tool used for (as the name implies) sharing system management information. This frequently includes software, including security products," reads the report from Trend Micro.

Continue reading...
 
  • Like
Reactions: Deleted Member 3a5v73x, vemn, aragornnnn and 4 others
W

Wave

Probably because the malware authors want to make money and if they successfully infected the machine then they don't care about the useless security products which have been white-listed (by "useless" I mean they failed to detect that sample and can't stop it so the malware authors don't care about causing destruction), they just want the money.

whether the security product is there or not, as long as it didn't interfere with the encryption process then the malware authors trying to make money won't care about it... it won't do anything. All it can do is remove the sample after a signature update, except if the malware is cleaned then the user cannot decrypt files by exchanging ransom, or they can take the risk and get back the files and then clean the system.

If you see what I mean?

That's the only logical explanation I can think of as for this behavior but yes I agree it's very strange :/
 
  • Like
Reactions: Deleted Member 3a5v73x, vemn, silversurfer and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Why make this extra effort to whitelist AV?
Maybe to keep the system protected from other malware while the user pays the ransom money or to avoid an alert from the AV that another program is trying to end it or to "change" its files...I think the first one is the most probable.... ;)
 
  • Like
Reactions: Deleted Member 3a5v73x, vemn, silversurfer and 2 others
W

Wave

Solarquest said:
Maybe to keep the system protected from other malware while the user pays the ransom money
Click to expand...
What a damn good idea, are you the developer? o_O Hahaha :D

Solarquest said:
avoid an alert from the AV that another program is trying to end it or to "change" its files
Click to expand...
I don't know of any AV products which alert when malware tries to tamper with the files? However, most AV products use FltRegisterFilter from kernel-mode, which is used to prevent modifications to the file on disk. Some vendors also map files in the installation directory into memory (even when they aren't being used) to prevent removal, but NTAPI calls can bypass that trick. :)
 
  • Like
Reactions: Deleted Member 3a5v73x, vemn, Solarquest and 2 others
W

Wave

Solarquest said:
If you try e.g. to delete a AV file you get a win alert that this is not possible...I thought you might get one too from some AV...;)
Click to expand...
The Windows alert is presented because access to delete the file was denied (STATUS_ACCESS_DENIED); this is generated from the AV device driver from the kernel-mode callback, FltRegisterFilter (for popular AV products). Or, the file is in use, because the AV mapped it into memory even when it wasn't needed to prevent removal (Win32 APIs like DeleteFile cannot remove files being used by other running programs, but NtDeleteFile can). :)
 
  • Like
Reactions: Deleted Member 3a5v73x, vemn, Wingman and 1 other person
vemn

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
maybe it's simply to challenge the vendors that ransomware has reached the stage where I don't even need to evade all of you. I open your eyes and encrypt right in front of you (horror movie)
 
  • Like
Reactions: Wave
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,495
Security News
Jonny Quest
Jonny Quest
TuxTalk
    • Like
    • +Reputation
App Review Trend Micro Worry-Free XDR Services
Replies
16
Views
986
Written Reviews - Security and Privacy
TuxTalk
TuxTalk
Brownie2019
    • Like
    • Thanks
On Sale! Trend Micro Maximum Security 3 Devices 1 Year PC $9.99
Replies
2
Views
512
Discounts and Deals
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top