Cerber is a ransomware infection with many faces. New variants of the program have been surfacing regularly after the first build came out in early 2016. Over the course of the past year, the virus has terrorized computer users with different attack patterns. We have seen the program “talk” to its victims via audio recordings, encrypt their cloud storage archives and databases, and switch propagation vectors on several occasions. Cerber has been distributed through malvertising campaigns, script files, and exploit kits.
The success rate of Cerber can be attributed to how easy it is to obtain. The ransomware is sold on Russian darknet markets. This, in turn, means that different people can use and spread the virus. Keeping the program up-to-date makes it difficult to detect by security software and harder to combat against in general.
Up to this point, the strategies of Cerber have had a clear purpose. The latest build has puzzled experts with a peculiar function. This version of Cerber is detected as RANSOM_CERBER.F117AK. It has been set to exclude security software from encryption.
This is the only special characteristic about the new build of Cerber. Other than that, the ransomware has the same technical specifications and exhibits the same behavior. The virus demands a ransom of 1 BTC which would be doubled in five days, if the victim does not pay. It has retained its propagation vectors.
Exempting certain objects from encryption is normal. Ransomware programs usually whitelist the folders, containing system data and applications. With the targeted formats, the opposite method is applied. Rather than making a list of the file formats which are excluded from encryption, the virus compiles a list of the file types which are scheduled to be encrypted. In most cases, executable files are not subjected to encryption.
The latest variant of Cerber checks the contents of three Windows Management Interface classes: FirewallProduct, AntiVirusProduct, and AntiSpywareProduct. The purpose of these scans is to look for all instances of security software. The Windows Management Interface (WMI) is “the infrastructure for management data and operations on Windows-based operating systems”. It is an essential tool which enables sharing system management information. This often includes different types of programs.
Cerber extracts the directories where firewalls, anti-virus, and anti-spyware products are stored. It adds them to the whitelist, excluding them from encryption.
The decision not to encrypt security tools is not unusual. Experts are puzzled that Cerber bothers to do these extensive checkups. The directories for storing software are generally included in the whitelist. In the same sense, .exe and .dll files which are associated to security programs are not in the encryption list. All we know at this point is that Cerber makes sure to omit security tools when performing the encryption. The reasoning behind this is yet to be determined.