Cerber targets Windows OS and is distributed via malvertising delivered by the Nuclear Exploit Kit. Some reports suggest that it is also being sold in the Russian underground market as “Ransomware-as-a-Service” (RaaS). When this infection first occurs, Cerber determines the location of the victim. If the victim resides outside the list of “protected” countries, Cerber installs itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and names itself after a random Windows executable. Afterwards, it configures Windows to automatically boot in Safe Mode with Networking at the next restart. Cerber scans all files on the victim’s drives and looks for specific file extensions. It encrypts the matching files and file names using AES-256 and then changes the file extension to .cerber. Finally, Cerber creates ransom notes named #DECRYPTMYFILES#.html, #DECRYPTMYFILES#.txt, and #DECRYPTMYFILES#.vbs, the last of which contains a VBScript causing the infected computer to speak to the victim. Researchers have recently discovered that Cerber is leveraging the same spam distributor responsible for spreading the Dridex financial Trojan.

UPDATE 7/15/2016: In addition to recently incorporating DDoS attacks and using malicious Windows Script Files in its attacks, Cerber is now targeting Office 365 users through emailed documents containing malicious macros. Since Microsoft disables macros by default, the attackers behind Cerber rely on social engineering tactics to trick users into manually enabling the malicious macros and launching the malware.

UPDATE 8/4/2016: A new version of Cerber appends .cerber2 to encrypted files, displays a new ransom note, and removes a flaw that allowed Trend Micro’s decryption tool to decrypt files, rendering it useless for this version.

UPDATE 8/31/2016: A new version of Cerber appends .cerber3 to encrypted files.

UPDATE 10/4/2016: A new version of Cerber appends a random four character extension to encrypted files.

UPDATE 11/1/2016: Cerber 4.1.0 and 4.1.1 were spotted in the wild. These new versions display the version number in the ransom note. These both append the fourth value of the infected system’s MachineGuid value of the HKLM\Software\Microsoft\Cryptography registry key to the name of the encrypted files.

UPDATE 11/7/2016: Cerber 4.1.4 is currently active and being distributed via Word documents embedded with malicious macros. These malicious documents are delivered within ZIP files attached to phishing emails using subject lines such as RE: Invoice 257224.

UPDATE 11/24/2016: Cerber 5.0 and 5.0.1 have been discovered and are distributed via the RIG-v exploit kit. One main change researchers noted is that these versions of Cerber will not encrypt any file that is below 2,560 bytes in size.

UPDATE 12/9/2016: A new version of Cerber has been spotted with red text highlighting on the ransom note and a modified filename for encrypted files.

UPDATE 12/22/2016: A new version does not delete Shadow Volume Copies and prioritizes folders containing Microsoft Office documents and Bitcoin data during its encryption process.

UPDATE 1/13/2017: A new Cerber campaign is infecting victims by leveraging the RIG EK to exploit vulnerabilities in outdated versions of Flash Player, Silverlight, Internet Explorer, and Edge.

UPDATE 2/8/2017: A new Cerber campaign is offered in a RaaS model and distributed via the Nemucod Trojan.

UPDATE 2/14/2017: A new version of Cerber searches infected systems for firewalls, antispyware, and antivirus software, and adds them to the list of whitelisted files that are not encrypted.

UPDATE 3/9/2017: A new variant keeps the original filename intact but appends a random extension and drops ransom notes named _HELP_HELP_HELP_{RANDOM CHARACTERS}_. The ransom payment amount is 1 Bitcoin.

UPDATE 3/22/2017: "Blank Slate" is a new phishing campaign distributing Cerber. The phishing emails contain no message text and there is no indication of the content of the attachments. The attachments are double-zipped and contain either a JavaScript file or a Microsoft Word document containing Cerber.

UPDATE 4/27/2017: A new version that exploits CVE-2017-0199 to infect victims drops ransom notes named _!!!_README_!!!_%random%_.hta and _!!!_README_!!!_%random%_.txt.

UPDATE 5/3/2017: Cerber 6 has been spotted in the wild and includes a modified encryption routine as well as anti-sandbox and antivirus detection and evasion capabilities. Most spam emails distributing Cerber 6 contain ZIP attachments containing JavaScript but some Cerber distributors are attempting to deliver it via self-extracting archives, or SFX files, HTML application (HTA) files, and binary (BIN) files. Cerber 6 encryption process is similar to that of Spora, using Microsoft's Cryptographic Application Programming Interface (CryptoAPI). It also blocks the launch of security software executable files by modifying Windows firewall rules. There is currently no free decryption tool available for Cerber 6.

UPDATE 6/29/2017: Cerber has been rebranded to CRBR Encryptor and is being distributed via the Magnitude exploit kit and through malicious emails masquerading as correspondence from the Microsoft Security Team.

UPDATE 8/3/2017: A new version of Cerber steals Bitcoin wallets. It specifically targets three wallet applications: Bitcoin Core, Multibit, and Electrum. It also steals passwords saved in browsers such as Internet Explorer, Mozilla Firefox, and Google Chrome in an attempt to locate the password used for the stolen wallets. Lastly, it deletes the associated wallet files on victims' computers.

  • Bleeping Computer provides more information about Cerber, found here.
  • FireEye provides more information about the partnership between Cerber and the Dridex spam distributor here.
  • Trend Micro provides a free decryption tool for the first Cerber variant, available here.
  • Check Point provides a free decryption tool for both the Cerber and Cerber2 variants, available here. Additional information about this tool is available from Bleeping Computer here.
  • Cybereason modified its free anti-ransomware tool, RansomFree, to detect and stop Cerber infections. More information about this tool can be found here. The tool can be downloaded here. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet.