February 16, 2017
A variant of the Cerber ransomware spotted in the wild in the past month contains a function that searches for locally-installed security products and avoids encrypting their files, so firewalls, antivirus or antispyware products can continue working even after Cerber has locked the computer.
Discovered by Trend Micro researchers and detected as RANSOM_CERBER.F117AK, this Cerber variant has first popped up online on January 20 and has baffled researchers ever since, as no one could explain why it left security products up and running.
Normally, you'd see malware do whatever it could to avoid or cripple antivirus software. This was not the case with this Cerber variant, which contained code specifically written for the task of whitelisting security products, not seen in previous Cerber variants.
Cerber whitelisting code (Trend Micro)
Based on an analysis by Trend Micro's researchers, this Cerber variant used the Windows Management Interface (WMI) to query the infected computer for three classes of software: FirewallProduct, AntiVirusProduct, and AntiSpywareProduct.
Cerber would then list all software products included in these classes, and add them to its whitelist, meaning the ransomware would not encrypt its files, leaving the programs operational even after the Cerber infection hit.
Both Trend Micro and security researcher MalwareHunter, who Bleeping Computer has reached out for an additional opinion, point out that this behavior is most likely useless, as Cerber already whitelists EXE files, DLL files, and applications installed in the Program Files folder.
"I can imagine it's because AVs would not like if something changes files in their own folders," MalwareHunter said, "but most Cerber victims either have no AV, or if they have, it is not something good."
Are the Cerber authors taunting security vendors?
Is this "feature" some sort of irony on behalf of Cerber's crew? Did they want to show that Cerber can encrypt files right under your antivirus' nose? We don't know, but it's very likely.
On the other hand, what we know is that only one Cerber variant included this behavior. Knowing that Cerber is offered for rent on underground cybercrime forums, this doesn't mean this is a feature of the main Cerber family, but most likely an offshoot modified by someone who rented the ransomware.
The rest of Cerber's behavior is normal, with the same ransom demand, the same wallpapers, the same ransom note, and the same file and folders whitelist, which includes operating system files and browsers.