Cerber now kind to canaries

Cybereason: Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.

Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.

A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.

A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.

Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.

David Harley

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.