One of the most dangerous forms of ransomware has just evolved to be harder to spot

Malicious loaders delivered by self-extracting Dropbox files enable payloads to bypass detection.
Written by Danny Palmer, Senior Writer

Cerber is one of the most common forms of ransomware.

Image: Check Point

One of the most common forms of ransomware is evolving a new technique in order to become even more effective and harder to detect: the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

Rather than relying on specifically identified signatures of known threats, some cybersecurity defences employ machine learning in an effort to detect previously unknown malware and the methods used to deliver them to unsuspecting victims.

The Cerber family of ransomware is already one of the most successful variants of file-encrypting malware, at least partially thanks to its malicious authors spreading it by offering the code to anyone who wants it for a cut of the ill-gotten profits. Now those behind it are using new tactics in an effort to stay ahead of the game.

Identified by Trend Micro, the new Cerber variant is, like most ransomware, delivered by a malicious phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.

However, in order to evade detection and monitoring by cybersecurity researchers, this version of Cerber will check to see if it's running on a virtual machine, sandbox, or if certain products are running on the machine -- and if it spots any of these, it'll stop running. Why? Because it's in the best interests of the criminals behind it that their code doesn't get analysed.

It's because of this that the actors behind Cerber have gone to the trouble of repackaging the delivery method and loader in order to get around cybersecurity products which can detect malicious files based on features instead of signatures.

But by deploying a self-extracting mechanism, it's possible for the file to not look malicious, even to machine learning tools.

"Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either," says a Trend Micro blog post about the Cerber update.

Ultimately, when a new way to detect malware arrives, cybercriminals do all they can to get around it so they can continue to deliver payloads.

The best way to ensure networks are protected against sophisitcated threats, says Trend Micro, is not to rely on just one single layer of defence. "Threats will always try to get around the latest solutions, and users should avoid relying on any single approach to security. A proactive, multilayered approach to security is more effective -- from the gateway, endpoints, networks, and servers," it explains.

The researchers also provided a list of malicious Dropbox URLs to the cloud storage provider's security team. The links are no longer active and Dropbox has banned the accounts involved.

Ransomware has fast become one of the biggest menaces on the internet -- but there's plenty you can do to protect against it.


Editorial standards