Cerber Ransomware Added a Feature for Avoiding Triggering Canary Files

Security experts from Cybereason have found a new type of the Cerber ransomware which includes a feature for avoiding canary files anti-malware.

The so called “canary files” are known as security measure for detecting types of threats like ransomware.

The canary files are situated in specific positions of systems where an anti-ransomware application watches for any modifications. In case the watching anti-ransomware app detects any attempt for encrypting the files, the defense solution triggers the necessary countermeasures immediately.

The Cybereason experts have recently found a new variant of the Cerber ransomware which includes a new feature for avoiding triggering canary files.

“To avoid encrypting canary files and triggering anti-ransomware programs,” Uri Sternfield, Cybereason’s lead researcher, said, “a new feature in Cerber now searches computers for any image file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.”

Thanks to the above-mentioned technique, the Cerber ransomware is capable of evading detection based on canary files.

According to security researchers, users can place false modified canary files ( i.e.malformed image file) in any important directory of the system in order to keep safe all folders containing valuable content.

“While this trick might allow Cerber to evade some canary-file anti-ransomware solutions, it also makes it vulnerable,” explains Sternfield; “a user can ‘vaccinate’ any important directory against Cerber by creating an invalid image file inside it, for example by copying any non-image file to this directory and renaming it to .jpg. Cerber will assume that the file is a canary file installed by an anti-ransomware program on the user’s machine and refuse to encrypt it!”

A free application called RansomFree, has been developed by Cybereason, in order to protect users from ransomware and automatically generate canary files in valuable folders. Besides, it’s not hard to create malformed canary files by renaming non-image file to jpeg, for instance.

“Simply take any non-image file and rename it to .jpg, then copy this file into any folder which holds important documents. This has to be performed for each folder separately,” Sternfield said.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.