One of the most infamous strains of ransomware has evolved, gaining the ability to prevent detection from cybersecurity tools, making it much harder for the malicious software to be analyzed.
The Cerber ransomware was discovered in early 2016. Aside from the typical behavior of encrypting victims' files, the malware also packs a .vbs file, which speaks out its ransom note to further scare those that have been infected.
Furthermore, using a set of assigned Command & Control (C&C) servers, the cybercriminals behind the ransomware have made it possible for almost anyone to distribute Cerber. They earn if they are successful in infecting their victims, with the developer getting 40% of the profit, and the affiliate getting 60%.
Typical ransomware usually arrive via a malicious-looking email, which contains an attachment or link to a malicious website. The new version of Cerber ransomware however, according to Trend Micro, will now entice you to open a Dropbox link that is controlled by the hacker. As soon as this is opened, the Cerber payload will automatically be downloaded and extracted, without any user interaction.
To be able to evade detection, the ransomware now checks if it is running on a virtual machine. This is because cybersecurity researchers typically analyze malware code through sandboxes, so that it will not be able to spread to other systems. If Cerber detects that it is being operated on a virtual environment, it will stop running.
"The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation," says Gilbert Sison of Trend Micro. He further explains:
Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection. For every new malware detection technique, an equivalent evasion technique is created out of necessity.
The blog post by Trend Micro notes that ransomware threats will always try to find a way to get around solutions by researchers to crack their malware. The company suggests a "proactive, multi-layered approach to security," from gateways, endpoints, networks and servers.
At this point, while we may not know when we will be the next victim of a ransomware like Cerber, it pays to have updated security software, and to be careful of where we go when surfing the web, in order to stay protected, as malicious software evolves every day.