By Marvelous Pelin and Gilbert Sison
CERBER is a ransomware family that has seen its share of unusual features since its appearance early last year. From its use of audio warnings, to the targeting of cloud platforms and databases, to distribution via malvertising, emailed scripting files, and exploit kits, CERBER has always been willing to keep up with the times, as it was. One reason for its apparent popularity may be the fact that it is sold in the Russian underground, giving a wide variety of cybercriminals access to it.
However, we’ve started seeing CERBER variants (which we detect as RANSOM_CERBER.F117AK) add a new wrinkle to their behavior: they have gone out of their way to avoid encrypting security software. How did they do this?
Normally, ransomware’s goal is to encrypt the data on a system and leave the applications intact. Files in folders where applications are typically installed and where the operating system is located are usually whitelisted by ransomware and not encrypted. Only files with specific extensions are encrypted, which normally excludes executable files as well.
The new CERBER variants go above and beyond this by checking if any security products are installed on the system. The built-in Windows Management Interface (WMI) is “the infrastructure for management data and operations on Windows-based operating systems”. In effect, it is a powerful tool used for (as the name implies) sharing system management information. This frequently includes software, including security products.
CERBER queries for the contents of three WMI classes: FirewallProduct, AntiVirusProduct, and AntiSpywareProduct. As the name implies, these are for firewalls, antivirus, and antispyware products. CERBER extracts the directories where these are installed and adds them to the list of whitelisted folders, which are spared from any encryption.
Figures 1 and 2. Code for detecting security products
It’s not clear what the immediate goal of this behavior is. The typical directories for software installation of any kind in Windows are typically already part of the whitelist. Similarly, executable files such as those with .exe or .dll extensions are not targeted for encryption either. For now, it appears that the attackers only want to be triply sure that security software is not encrypted.
Aside from this security software detection, the behavior of these variants is similar to other CERBER variants, with a ransom demand of 1 BTC (approximately US$1,000), which doubles in price to 2 BTC after five days). The infection vectors are also similar.
Figures 3. CERBER ransom demand
Trend Micro Solutions
To address ransomware, reacting to threats as they occur isn’t enough. Strategic planning and a proactive, multilayered approach to security goes a long mile— from the gateway, endpoints, networks, and servers.
Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware.
Trend Micro Ransomware Solutions
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection