New Cerber Ransomware Underscores Need for Deep Content Inspection

New Cerber Ransomware Underscores Need for Deep Content Inspection

There’s been a lot of news lately about a new variant of Cerber ransomware that evades malware detection products that rely on static machine learning. Like other forms of advanced malware, Cerber’s evasion tactics continue to evolve. 


Cerber Ransomware Enhanced

Cerber, one of, if not the most prevalent and damaging forms of ransomware to date, has recently been enhanced. The new version includes two additional evasion tactics. The first avoids being detected by the type of machine learning tools that rely solely on static analysis. These tools examine an object without executing it—looking for known malicious structures and content within the file.

Evasion Tactics

The new Cerber ransomware variant makes this difficult because it uses self-extracting files, that in this case, don’t have any visible malicious structures or content. The malicious payload is hidden inside a binary file that looks like an ordinary configuration file. Malware detection products that don’t actually execute Cerber, will not detect the malicious code that’s hidden in the purported configuration file. Because they perform only a static analysis of Cerber, they will not see anything malicious.

The second evasion tactic looks for the presence of a sandbox or virtual machine. If either is found, Cerber will not execute. Since a number of malware detection products exist inside a sandbox or virtual machine, the new Cerber variant will detect their presence and refrain from executing anything malicious. Since these detection tools are unable to observe anything that appears dangerous, they release the file thereby allowing the malware to enter the network where it subsequently executes and installs the ransomware.

Deep Content Inspection

Because Lastline doesn’t look like a sandbox or contain any virtual machine artifacts, Cerber is unable to detect its presence. And because Lastline’s Deep Content Inspection™ uses machine learning technology that performs both static and dynamic analysis, the malware is fully executed. Lastline examines every instruction executed within the CPU, including code executed by the malware, operating system, kernel, or other programs. Lastline has complete visibility and is able to to see all of the malicious capabilities and damaging behaviors of Cerber ransomware, and therefore will block the file and prevent the malware from being executed.

This ransomware variant does not defeat machine learning in general, but it will thwart malware detection tools that have a weak machine learning implementation.