I have been knee deep into Ransomware since September 2013 when the granddaddy of modern ransomware CryptoLocker made well over 20 million bucks in a few months. But sometimes I learn something new that even surprises me.
This week, Larry Abrams reported that the latest version of Cerber ransomware switches to random extensions (almost wrote "ransom extensions") and ends database processes so that it can access the sql datastore itself and encrypt that:
"This update also includes the addition of new database processes that are closed by the close_process directive in Cerber's configuration. This directive tells Cerber to terminate certain processes before encryption begins."
These are things like msftesql.exe, sqlagent.exe, sqlservr.exe and many more. Larry commented: "This is not something particular new, and other ransomware have been doing it for some time." Yikes. Here is the whole article:
http://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/