Cerber ransomware takes special care not to encrypt security product files

Sometimes, computer criminals are extra-extra careful, too.

David bisson
David Bisson

Cerber ransomware wants to take special care that it isn't encrypting security product files

Cerber’s developers want to infect your computer with ransomware. But they also don’t want to trigger a security alert that could interfere with their attempt to extort money from you.

Traditionally, a ransomware sample encrypts only data that’s stored on the system. It generally avoids encrypting executable files and folders for applications like security software.

Why is this so?

Sign up to our free newsletter.
Security news, advice, and tips.

If a crucial application or operating system doesn’t load, the computer might not be able to boot properly. This means that victims who suffer an infection from a regular file encrypter (and not something like Petya that encrypts an infected machine’s Master Boot Record) can’t gain access to the ransom note and, by extension, pay the criminals. Alternatively, messing with a critical application could cause some security software to issue an alert.

Those who maintain Cerber, the “ransomware that speaks” which has already attracted the attention of spammers, wanna-be computer criminals, and potentially other ransomware developers, don’t want to raise any red flags.

Perhaps most critically, they also want to make sure they get paid.

To address this desire, they’ve outfitted their creation with a new feature that looks for three classes of security software (“FirewallProduct,” “AntiVirusProduct,” and “AntiSpywareProduct”) in a computer’s Windows Management Interface (WMI), or the part of the computer that specifies system management sharing information for programs like anti-virus programs. The ransomware extracts these directories and then adds them to its allow-listed folders.

Cerber detection 1

Cerber detection 2
Cerber’s code for detecting security products. (Source: Trend Micro)

Clearly, the computer criminals want to be cautious. Even so, Trend Micro’s researchers don’t see a need for this level of care. As they explain in a blog post:

“It’s not clear what the immediate goal of this behavior is. The typical directories for software installation of any kind in Windows are typically already part of the whitelist. Similarly, executable files such as those with .exe or .dll extensions are not targeted for encryption either. For now, it appears that the attackers only want to be triply sure that security software is not encrypted.”

As in other samples, this newest variant demands one Bitcoin (approximately $1,000) from its victims. This ransom doubles in value if the victim doesn’t pay after five days.

Cerber ransom message

Given the ongoing evolution of ransomware like Cerber, it’s important that users back up their files, update their systems regularly, and maintain a security solution on their computers.

They should also learn what they should do if they ever suffer a ransomware infection.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.