We have recently discovered some variants of the Cerber ransomware which actively look for canary files and try to evade them, as a technique to bypass anti-ransomware technologies that use canary files. Our team created a “fix” that makes sure RansomFree and the Cybereason platform are effectively protecting against these variants.
Like any ransomware program, Cerber’s goal is to quickly encrypt files that matter to users. But Canary files interfere with that mission. These bogus files, which anti-ransomware programs place on machines, are meant to be encrypted and alert the anti-ransomware program that an attack is occurring.
To avoid encrypting canary files and triggering anti-ransomware programs, a new feature in Cerber now searches computers for any image file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.
While this trick might allow Cerber to evade some canary-file anti-ransomware solutions, it also makes it vulnerable - a user can “fix” any important directory against Cerber by creating an invalid image file inside it, for example by copying any non-image file to this directory and renaming it to .jpg. Cerber will assume that the file is a canary file installed by an anti-ransomware program on the user’s machine and refuse to encrypt it!
Check out the video below to see this “vaccine” in action. You’ll see Cerber running on a machine with two, nearly identical directories full of files that ransomware would typically encrypt. The only difference is that one directory contains a bogus .jpg file. As a result, Cerber does not encrypt this directory.
You may find samples of the relevant Cerber variants in the following links: