Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/16/2017
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cerber Fights Anti-Ransomware Tools

Deception technology is the popular ransomware's latest target.

New variants of the popular Cerber ransomware now try to sniff out decoy image files planted on a targeted machine to help thwart the attack.

Researchers at Cybereason spotted the ransomware searching for .bmp, .jpg, .png, and .tiff image files, which are typically used as decoys or "canary files," by Cybereason's free anti-ransomware tool. When these Cerber variants find a phony file, they don't encrypt that directory - an apparent move to evade detection.

A canary file is placed on a machine as a decoy: if a ransomware program encrypts it, that sounds the alarm to the anti-ransomware tool that then shuts it down. This is a form of so-called deception technology, an evolving approach to being more proactive in defense by placing next-generation honeypots in place to fool the bad guys and trigger alerts.

Lawrence Pingree, a research director with Gartner, says deception technology allows enterprises to deceive, obfuscate, and delay an attacker. "You only need one deception to disrupt the kill chain," he said at the recent Gartner Security & Risk Management Summit in Washington, DC.

The new Cerber variants try to detect deception and then evade anti-ransomware steps. "They are actively trying to evade anti-ransomware measures," says Uri Sternfeld, senior security researcher at Cybereason, which offers the free anti-ransomware tool called RansomFree.

"The Cerber samples were the first [ransomware] assigned or that even addressed our technique" of canary files, he says.

They scan the entire hard drive in search of image files, which they test for validity. If they find a phony/canary file, they flag that directory as one not to encrypt in their attack, he says. "Later when they start encrypting files, they simply skip all the directories that contain the invalid [canary] image files," he says.

So Cybereason turned the tables on these crafty Cerber authors. Their free tool now allows a user to create a phony image file in a sensitive directory: they can copy a non-image file to the directory and use an image file extension in order to appear as a canary/decoy. "Cerber will assume that the file is a canary file installed by an anti-ransomware program on the user’s machine and refuse to encrypt it," Cybereason explains in a blog post on the new foil to combat the cagey Cerber variants rooting out the tool.

This isn't the first time Cerber variants have tried security evasion methods: another version of the ransomware earlier this year was found that evades detection by machine learning algorithms. According to researchers at Trend Micro who discovered it, the ransomware splits the stages of the malware into multiple files and then injects them into the running process, Mark Nunnikhoven, vice president of cloud research for Trend Micro, told Dark Reading in March. "This helps to conceal them from various detection methods."

There are multiple Cerber variants and groups behind the ransomware, Sternfeld notes. The anti-ransomware evasion variants are just certain strains of the malware. "Ransomware is evolving much faster than regular malware," he says. "My opinion is that the monetary incentive is much great, so there's more incentive to change and modify ransomware."

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20327
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
CVE-2021-20328
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
CVE-2020-27543
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
CVE-2020-23534
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
CVE-2021-27330
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.