Cybereason finds vaccine for Cerber ransomware

Uri Sternfeld, Lead Researcher, Cybereason
Uri Sternfeld, Lead Researcher, Cybereason

Is there a defence against Cerber ransomware? Security vendor Cybereason says yes. It has identified a flaw in the way Cerber protects itself from security software. That flaw, according to a blog by Uri Sternfeld, Lead Researcher, Cybereason is something companies can easily exploit themselves.

According to Sternfeld: “To avoid encrypting canary files and triggering anti-ransomware programs, a new feature in Cerber now searches computers for any image file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.”

What is a canary file?

A canary file is used to fool malware and trigger defensive systems. It works on the same principle as a miner’s canary. Miners used to take canary’s underground with them to help detect the build-up of dangerous gas. If the canary died the miners knew there was a problem and left the mine.

In cybersecurity terms, the placing of a dummy file or folder to fool ransomware or other malware is a canary file. The security software monitors the directory. If it sees files being encrypted then it immediately kills the encryption process. It also alerts security and IT teams to the attack. This allows them to clean directories.

An increasing number of security vendors now use canary files as part of their defence. Cybereason has their own solution called RansomFree.

How can I exploit this new Cerber feature?

Sternfeld says: “a user can ‘vaccinate’ any important directory against Cerber by creating an invalid image file inside it, for example by copying any non-image file to this directory and renaming it to .jpg. Cerber will assume that the file is a canary file installed by an anti-ransomware program on the users machine and refuse to encrypt it!”

As simple as this is it requires both users and IT teams to work together to protect data. IT will have to create a script to identify every directory on their servers and copy the file into each. They may well want to use different filenames. This is because it is likely that the next Cerber update will look for false canary files. The same malformed file in hundreds of directories would be fairly easy to spot.

Users need to think about where they store data and do the same on their own devices.

What does this mean?

This does not mean that Cerber will go away. Additionally it does not mean users and IT security teams can relax. Cerber and other ransomware are here to stay and the chances of getting caught out will slowly increase over time. Everyone needs to continue taking precautions to protect data. That includes using canary files, security software and basic email and file hygiene.

The latter includes not clicking on links in email. It also means paying attention to what sites are visited and unexpected requests to download files.


Please enter your comment!
Please enter your name here