CERBER Changes Course, Triple Checks for Security Software

By Marvelous Pelin and Gilbert Sison

CERBER is a ransomware family that has seen its share of unusual features since its appearance early last year. From its use of audio warnings, to the targeting of cloud platforms and databases, to distribution via malvertisingemailed scripting files, and exploit kits, CERBER has always been willing to keep up with the times, as it was. One reason for its apparent popularity may be the fact that it is sold in the Russian underground, giving a wide variety of cybercriminals access to it.

However, we’ve started seeing CERBER variants (which we detect as RANSOM_CERBER.F117AK) add a new wrinkle to their behavior: they have gone out of their way to avoid encrypting security software. How did they do this?

Normally, ransomware’s goal is to encrypt the data on a system and leave the applications intact. Files in folders where applications are typically installed and where the operating system is located are usually whitelisted by ransomware and not encrypted. Only files with specific extensions are encrypted, which normally excludes executable files as well.

The new CERBER variants go above and beyond this by checking if any security products are installed on the system. The built-in Windows Management Interface (WMI) is “the infrastructure for management data and operations on Windows-based operating systems”. In effect, it is a powerful tool used for (as the name implies) sharing system management information. This frequently includes software, including security products.

CERBER queries for the contents of three WMI classes: FirewallProduct, AntiVirusProduct, and AntiSpywareProduct. As the name implies, these are for firewalls, antivirus, and antispyware products. CERBER extracts the directories where these are installed and adds them to the list of whitelisted folders, which are spared from any encryption.

Figures 1 and 2. Code for detecting security products

It’s not clear what the immediate goal of this behavior is. The typical directories for software installation of any kind in Windows are typically already part of the whitelist. Similarly, executable files such as those with .exe or .dll extensions are not targeted for encryption either. For now, it appears that the attackers only want to be triply sure that security software is not encrypted.

Aside from this security software detection, the behavior of these variants is similar to other CERBER variants, with a ransom demand of 1 BTC (approximately US$1,000), which doubles in price to 2 BTC after five days). The infection vectors are also similar.

Figures 3. CERBER ransom demand

Trend Micro Solutions

To address ransomware, reacting to threats as they occur isn’t enough. Strategic planning and a proactive, multilayered approach to security goes a long mile— from the gateway, endpoints, networks, and servers.

Trend Micro endpoint solutions such as Trend MicroSmart Protection Suites, and Worry-FreeBusiness Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware.

Trend Micro Ransomware Solutions


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

CERBER Changes Course, Triple Checks for Security Software

Read more: CERBER Changes Course, Triple Checks for Security Software

Story added 15. February 2017, content source with full text you can find at link above.