Research into the Cerber ransomware from a few years ago, shows that computer users were trying to make the malware’s behaviour be used against itself, to create a sort of ‘vaccine’ against being infected.
A video by Cybereason of a recent study into the Cerber ransomware, one of the more prevalent and persistent families of malware that became popular over two years ago, has discovered undocumented behaviour of some existing strains of Cerber.
Cerber infected devices by searching computers for any image file, including .png, .bmp, .tiff, .jpg, etc., and checks whether they are valid files.
If an image file is found to be corrupted or malformed, Cerber skips the entire directory where the broken file is located, leaving that directory unencrypted.
Using this behaviour, people were placing ‘malformed’ images into files on purpose, in order to trick the ransomware into skipping that whole directory, meaning a user can “vaccinate” any important directory against Cerber by creating an invalid image file inside it.
Mark James, ESET IT Security Specialist, and Ondrej Kubovič, ESET IT Security Awareness Specialist,explain the consequences of using this ‘vaccine’ method of protection from the ransomware, and offer their expert advice on the best prevention tactics to avoid ransomware attacks and potential threat vectors for both consumer and businesses.
“ESET experts have tried to replicate the experiment from the video – using the same variant and version of Cerber, based on the hash provided, but always with a negative outcome.
“All the tested files ended up encrypted. It is important to note that the sample provided in the video was of an older date, it was from 13th of April 2017, so it is possible that the vaccination may have worked at that time and may have been fixed later.
“It is very common for malware creators, such as Cerber ransomware, to react quickly and “patch” glitches after they become public. This case is probably no exception. Therefore, even if this vaccination was effective at some point, chances are low it remained that way.
“The only proper way businesses as well as regular users can stay protected from ransomware is prevention.
“Keeping your operating systems and all applications as up to date as possible will help with this.
“Exploits and vulnerabilities exist in so much software, and by not patching you are literally giving the bad guys a wild card and free reign.
“Install a good, regularly updating multi-layered security product and the most important security feature without a doubt is a good point in time backup that is stored offsite! For the backup to be successful it needs to be tested both for integrity and the ability to complete a full restore.
Mark and Ondrej’s top tips on enhancing defence:
1. Organisations are recommended to secure your network from the attackers by turning off unnecessary services on your servers
2. Scan your network for risky accounts using weak passwords
3. Limit or ban use of Remote Desktop Protocol (RDP) from outside of the network (or prohibit RDP at least for the devices that don’t necessarily need it)
4. Start using VPN
5. Review settings of your firewall
6. Review policies for traffic between internal and outside network (internet)
7. Set up a password in the configuration of your security solution to protect it from the possibility of being turned off by the ransomware operator (or attacker in general)
8. Regularly train employees to recognise social engineering techniques and possibly infected items in their emails and online
Find our top tips useful? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.