Evolution and adaptation is required for persistence in the ransomware industry.  Cerber ransomware has been around for quite a while, and may variants are out in the wild.  It has kept itself alive by constant adaptation and jumping ahead of technology advancements by using old and new techniques and also staying out in front of mainstream patching and exploit reporting.  Therefore, they have found a way to stay away from the curve (detection) by putting itself ahead or behind the current threat detection trending.  Cerber has adapted once again recently, by identifying security systems that it faces during attacks, it can whitelist security process files and folders and spares them from encryption.  Even more recent, a new variant has been broken into several delivery components that make it look harmless to even the most advanced detection methods using machine learning.

There is something to be said, forensically speaking, about the methods and skillfulness of the developers of this malware.  There is a level of intelligence that seems to link itself back to the concepts that Darwin made on the theory of evolution.  Darwin came to understand that any population consists of individuals that are slightly different from one another.  Those individuals having a variation that gives them an advantage in staying alive long enough to successfully reproduce are the ones that pass on their traits more frequently to the next generation.  Subsequently, their traits become more common and the population evolves.  Darwin called this “descent with modification.”  I call it, malware with modification and by only changing a few words could describe it’s lifecycle and evolution.

 By studying tactics, techniques and procedures of these “modifications” a forensic “fingerprint” may develop on the creators of this ransomware.  Inventiveness and skill soon run out and eventually give way to the next generation of ransomware. 

“Survival of the fittest”.  Time to evolve or or be locked out.