The canary files are a security measure for the early detection of threat like ransomware.
These files are located in specific positions of systems and an anti-ransomware application watches for any modification. If the watching anti-ransomware detects any attempt to encrypt these file the defense solution will trigger the necessary countermeasures.
Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.
“To avoid encrypting canary files and triggering anti-ransomware programs,” reports Uri Sternfield, Cybereason’s lead researcher, “a new feature in Cerber now searches computers for any image file (.png, .bmp, .tiff, .jpg, etc.) and checks whether they are valid. Image files are commonly used as canary files. If a malformed image is found, Cerber skips the entire directory in which it is located and does not encrypt it.”
Using this technique the Cerber ransomware is able to evade detection based on canary files. Experts pointed out that this mechanism could ble used against the Cerber ransomware by placing false modified canary files ( i.e. malformed image file ) in any important directory of the system. In this way users can vaccinate any folder containing valuable content.
“While this trick might allow Cerber to evade some canary-file anti-ransomware solutions, it also makes it vulnerable,” explains Sternfield; “a user can ‘vaccinate’ any important directory against Cerber by creating an invalid image file inside it, for example by copying any non-image file to this directory and renaming it to .jpg. Cerber will assume that the file is a canary file installed by an anti-ransomware program on the user’s machine and refuse to encrypt it!”
Cybereason’s developed a free application dubbed RansomFree that protects users from ransomware and automatically generates canary files in valuable folders.
Nevertheless, it is easy to create malformed canary files, for example, by renaming non-image file to jpeg.
“Simply take any non-image file and rename it to .jpg, then copy this file into any folder which holds important documents. This has to be performed for each folder separately,” explained Sternfield.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Cerber ransomware, canary files)
[adrotate banner=”13″]
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
This website uses cookies.