Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Cerber

65
Global rank
63 infographic chevron month
Month rank
58 infographic chevron week
Week rank
0
IOCs

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Ransomware
Type
Unknown
Origin
1 February, 2016
First seen
7 April, 2025
Last seen

How to analyze Cerber with ANY.RUN

Type
Unknown
Origin
1 February, 2016
First seen
7 April, 2025
Last seen

IOCs

IP addresses
149.202.251.83
149.202.64.7
149.202.64.27
149.202.64.21
149.202.64.31
149.202.64.13
149.202.122.4
149.202.64.2
149.202.64.6
149.202.64.20
149.202.64.17
149.202.64.22
149.202.64.15
149.202.64.29
149.202.64.3
149.202.64.25
149.202.64.14
149.202.64.0
149.202.64.4
149.202.64.10
Domains
4kqd3hmqgptupi3p.0vgu64.top
p27dokhpz2n7nvgr.1lseoi.top
jardinaix.fr
lfdachijzuwx4bc4.zreknv.bid
ffoqr3ug7m726zou.utebcd.top
ffoqr3ug7m726zou.prbuoi.top
avsxrcoq2q5fgrw2.1lseoi.top
ffoqr3ug7m726zou.yur4j5.top
ffoqr3ug7m726zou.rzvhne.top
avsxrcoq2q5fgrw2.otruw6.top
pe2cku7pebkpgeko.yjo0z9.top
vyohacxzoue32vvk.ekll3z.top
cerberhhyed5frqa.azwsxe.win
vyohacxzoue32vvk.ttx0ig.top
qfjhpgbefuhenjp7.1bxzyr.top
vyohacxzoue32vvk.9f32tz.top
vyohacxzoue32vvk.cn1027.top
vyohacxzoue32vvk.6x202r.top
ubisortdasert.top
avsxrcoq2q5fgrw2.vbfyit.top
Last Seen at

Recent blog posts

post image
Why Practice Is Key to Training Top Malware A...
watchers 204
comments 0
post image
How MSSP Expertware Uses ANY.RUN's Interactiv...
watchers 285
comments 0
post image
Release Notes: Android VM, Pre-Installed Dev...
watchers 1678
comments 0

What is Cerber malware?

Cerber is a Ransomware-as-a-service that does not require an attacker to be a skilled hacker to deploy it. Since its debut in 2016, it has been frequently updated to bypass signature-based detections.

It mostly arrives at the target network via phishing emails with malicious attachments (zipped .DOT files, Windows Script Files [WSF], or self-extracting archives). Some campaigns include password-protected attachments with the password provided in the email to bypass basic email filters.

Once inside a network, Cerber typically waits for an opportune moment (e.g., system reboot or user idle time) to execute, increasing its chances of going unnoticed initially. Then the malware scans local and network drives for specific file types (documents, databases, media). It encrypts the found files using AES-256 and RSA-2048 encryption.

Cerber ransomware analysis in the ANY.RUN Sandbox Analysis of Cerber Ransomware in the ANY.RUN sandbox

It deletes shadow copies of the decrypted files and disables recovery options; after the operations are finished, Cerber generates a ransom note and deletes its executable to minimize forensic evidence.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Cerber’s technical details

Cerber is equipped with advanced capabilities as it:

  • Creates scheduled tasks and registry modifications to ensure persistence.
  • Drops multiple copies of itself in %AppData%, %Temp%, or %LocalAppData%.
  • Scans local and network drives for data files and encrypts them with AES-256 and RSA-2048 algorithms.
  • Drops a ransom note (README.hta) in affected folders with instructions to pay in Bitcoin via a Tor-based payment portal. Some variants use voice-based ransom notes, playing an audio message demanding payment.
  • Uses PowerShell scripts and scheduled tasks to execute itself remotely.
  • Attempts to spread via SMB shares, infecting additional network points.
  • Cerber employs a number of advanced evasion tactics: code obfuscation, sandbox detection, dynamic domain generation, fileless execution (some strains use PowerShell scripts to execute directly in memory). It can encrypt files without an internet connection, preventing detection via network traffic analysis.
  • Cerber’s network traffic and code are encrypted, making it harder to intercept or analyze. Macroses in phishing attachments often include junk code to confuse detection tools.
  • For persistence, Cerber may establish itself in the system registry or running processes to ensure it reactivates after reboots.

Execution process of Cerber Ransomware

Let's use ANY.RUN's Interactive Sandbox to analyze a sample of the Cerber Ransomware to see how it operates.

Cerber ransomware uses a multi-stage execution chain, often starting with distribution via phishing emails. These emails typically include malicious attachments—either zipped Windows Script Files (WSF) or Microsoft Office files (.DOC or .DOCX). The WSF file directly installs Cerber, while the Office documents prompt users to enable macros, which then download and install the malware. Cerber has also been observed exploiting known vulnerabilities to gain initial access.

View sandbox analysis

Cerber ransomware analysis in ANY.RUN Process analysis of Cerber ransomware in ANY.RUN's Interactive Sandbox

Once executed, Cerber may check for specific mutexes to avoid reinfecting the same machine. In this case, the mutex is SHELL.{9C578142-9AC8-5286-EEAE-C741EB3192B8}, and the ransomware also created several additional mutexes. It checks the system’s country location and terminates if it detects an ex-USSR region. To evade detection, Cerber can configure Windows Firewall rules to block outbound traffic from security tools. Some versions add a time delay to the attack chain to evade sandbox analysis.

Cerber often reboots the system into Safe Mode with Networking, then back to normal mode before initiating the encryption process. It uses AES-256 and RSA to encrypt files, appends a custom extension, and renames files with randomly generated strings. In this analysis, the extension used was “.ae90.” Cerber stores ransom instructions locally, can change the desktop wallpaper, and launches a ransom note in HTA format using mshta.exe. Finally, it deletes its own file from the infected system to conceal its presence.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Cerber malware

Countering Cerber demands proactive threat hunting and protective measures. Leverage threat intelligence to track Cerber-related indicators of compromise like C2 domains & IPs, hashes of known Cerber variants, Tor-based payment portals used by attackers (e.g., port 6893 with specific packet structures like Machine GUID hashes).

Cerber ransomware results in ANY.RUN TI Lookup TI Lookup helps users collect fresh intel on Cerber Ransomware attacks

Threat Intelligence Lookup by ANY.RUN delivers fresh contextual data on IOCs and provides a selection of the malware’s samples in action detonated in the Interactive Sandbox. Learn more about TI Lookup.

TI Lookup search by a port typically engaged by Cerber gives a number of IOCs for further research: associated URLs, files, mutexes, etc.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Cerber Ransomware

  • The main method is phishing emails with malicious attachments. Fake invoices, job offers, or security alerts trick victims into downloading malicious Word or Excel files containing macros that drop Cerber.
  • Also used: malvertising and drive-by downloads, compromised websites and exploit kits targeting browser and software vulnerabilities.
  • Cerber is distributed via TrickBot and Dridex—malware families that serve as initial access brokers for ransomware operators.
  • Adversaries can brute-force RDP credentials to gain remote access, disable security tools, and manually deploy Cerber inside corporate networks.
  • Cerber as an RaaS is distributed by various cybercriminals who customize campaigns, making its delivery methods and sender addresses highly variable.
  • Cerber can spread laterally across a network, infecting shared drives and removable media.

Conclusion

Cerber stands out as a highly adaptive ransomware threat, blending traditional infection vectors with cutting-edge evasion techniques. Its danger lies in its ability to target both individuals and organizations, steal data, and disrupt operations while evading detection. By combining robust endpoint security, network monitoring, and real-time threat intelligence, defenders can detect and neutralize Cerber effectively.

Sign up for a free ANY.RUN account to access malware analysis and threat intelligence tools for your company

HAVE A LOOK AT

Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More