Cerber, one of the most common and successful ransomware variants, has just upped the ante by adding a new loader that can evade detection from machine learning tools.

Security firm Trend Micro discovered the latest updates to Cerber on Tuesday.

On the surface, it appears similar to other ransomware strains and arrives by email, Trend Micro authors wrote in a blog post. The emails claim to stem from services rendered by the user and link to a self-extracting archive connected to a Dropbox account run by hackers. When clicked, the target is downloaded and infects the system.

[Also: Ransomware rising, but where are all the breach reports?]

Healthcare is the prime target for ransomware attacks and this is the first time hackers have deployed machine learning evasion as a technique. 

By using a self-extracting tool, it’s possible for the file to appear safe to machine-learning tools, the authors wrote. Further, it can be problematic for static machine learning file detection.

“All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either,” Trend Micro said. “For every new malware detection technique, an equivalent evasion technique is created out of necessity.”

The updated version of Cerber also checks if the victim’s server is running on a virtual machine, sandbox or if certain products are running on the machine.

Specifically, it checks if certain vendors are running on the intended target: 360, AVG, Kaspersky, Trend Micro and Norton, among others. It also looks for analysis tools like Wireshark and Msconfig, the authors wrote.

If the targeted system meets these criteria, the virus will stop running to avoid detection and future analysis of its code. Cybercriminals seek to evade detection for this reason, as it puts the impact of the virus at risk.

It’s important to note that the new technique is ineffective against anti-malware with multiple layers of protection, the authors wrote. “Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”

“Threats will always try to get around the latest solutions, and users should avoid relying on any single approach to security,” the authors continued. “A proactive, multilayered approach to security is more effective -- from the gateway, endpoints, networks and servers.”

While healthcare organizations continue to increase security measures, the number of healthcare security breaches caused by insiders doubled from January to February, according to the latest Protenus Breach Barometer.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn