Cerber’s developers want to infect your computer with ransomware. But they also don’t want to trigger a security alert that could interfere with their attempt to extort money from you.
Traditionally, a ransomware sample encrypts only data that’s stored on the system. It generally avoids encrypting executable files and folders for applications like security software.
Why is this so?
If a crucial application or operating system doesn’t load, the computer might not be able to boot properly. This means that victims who suffer an infection from a regular file encrypter (and not something like Petya that encrypts an infected machine’s Master Boot Record) can’t gain access to the ransom note and, by extension, pay the criminals. Alternatively, messing with a critical application could cause some security software to issue an alert.
Those who maintain Cerber, the “ransomware that speaks” which has already attracted the attention of spammers, wanna-be computer criminals, and potentially other ransomware developers, don’t want to raise any red flags.
Perhaps most critically, they also want to make sure they get paid.
To address this desire, they’ve outfitted their creation with a new feature that looks for three classes of security software (“FirewallProduct,” “AntiVirusProduct,” and “AntiSpywareProduct”) in a computer’s Windows Management Interface (WMI), or the part of the computer that specifies system management sharing information for programs like anti-virus programs. The ransomware extracts these directories and then adds them to its allow-listed folders.
Clearly, the computer criminals want to be cautious. Even so, Trend Micro’s researchers don’t see a need for this level of care. As they explain in a blog post:
“It’s not clear what the immediate goal of this behavior is. The typical directories for software installation of any kind in Windows are typically already part of the whitelist. Similarly, executable files such as those with .exe or .dll extensions are not targeted for encryption either. For now, it appears that the attackers only want to be triply sure that security software is not encrypted.”
As in other samples, this newest variant demands one Bitcoin (approximately $1,000) from its victims. This ransom doubles in value if the victim doesn’t pay after five days.
Given the ongoing evolution of ransomware like Cerber, it’s important that users back up their files, update their systems regularly, and maintain a security solution on their computers.
They should also learn what they should do if they ever suffer a ransomware infection.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.