Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Cerber

73
Global rank
106 infographic chevron month
Month rank
112 infographic chevron week
Week rank
0
IOCs

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Ransomware
Type
Unknown
Origin
1 February, 2016
First seen
25 September, 2025
Last seen

How to analyze Cerber with ANY.RUN

Type
Unknown
Origin
1 February, 2016
First seen
25 September, 2025
Last seen

IOCs

IP addresses
149.202.251.83
149.202.64.7
149.202.64.27
149.202.64.21
149.202.64.31
149.202.64.13
149.202.122.4
149.202.64.2
149.202.64.6
149.202.64.20
149.202.64.17
149.202.64.22
149.202.64.15
149.202.64.29
149.202.64.3
149.202.64.25
149.202.64.14
149.202.64.0
149.202.64.4
149.202.64.10
Hashes
eedce41f2642f9e2b640464df4a305522cb5caec2267cd38411608e67b4a91bc
ddaef49d0deefcdd5439ec5317f07f2a3dfafca6e51c75ce229c21870d15e00f
e5a8e5dce2e126e1a24e1253b67dadbbc4bdc4ba2f9b1332d09b8c5241881264
a30780119e95514ea7e01d8fbcc34d3c799cf491dec478cd8736e3be48dfc4c6
8cc84c910910535990b7ec98b521f7bb84774a78fa488a27dacff5590a7322e3
d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2
9e2e3df46d33e24402b6ff9771e392ce656dc7cf578291ac1494c2a28b6b8926
6b40410127bc96dfe892e55fa956f8d9c5889b74557e050a61a3c0bd27e90454
35167e6aab373740e63cfe77a8aa28a9d2cdb759dad57e8027373c87e9d1d7ef
ba3eb5e46f78e67fd4cfe3989ea50842bdf9d585fdcfc2009d1f0e76a4f2ab28
160adbb2a6d3392bc119a0fa431d795ecb80801815612e8fae1fdd2a42503a89
993a83e4930edf11d5d8bde9ce803ce9948776457f77530079692ca7541aebd2
86a4299c0211417bba19be70cbd28ea1b9de255b29ca3e4e56d3e6c1b710a475
a7951110c018bbd7d9871441f73d1843d5cadc1fc4926109cd04dfdc9deb22c1
04befeeeaafd56bf5dabdf9025a0280e456242f06dc6a7abdbc2d2ebad56a418
2f1ac05ea0fe4bd365c0de29394515737dfdc7df832ef16088e139e8d68500f9
272e46f6cb9c3045b19f956b77758f90ab69b420a1a2787438790d5d76d69a1a
3c63bb57e90453101891dd8b124c8288f32256f47a0144251fd49eb157d2afda
2ff572c29da39ee36ac98a86985ee399e451988aeabf7e39d1eb127a7a396123
927458c5a75272a94a3660d0d1eacf9a11106bf1cd607e07dbd5785ec3d8757e
Domains
4kqd3hmqgptupi3p.0vgu64.top
p27dokhpz2n7nvgr.1lseoi.top
jardinaix.fr
lfdachijzuwx4bc4.zreknv.bid
ffoqr3ug7m726zou.utebcd.top
ffoqr3ug7m726zou.prbuoi.top
avsxrcoq2q5fgrw2.1lseoi.top
ffoqr3ug7m726zou.yur4j5.top
ffoqr3ug7m726zou.rzvhne.top
avsxrcoq2q5fgrw2.otruw6.top
pe2cku7pebkpgeko.yjo0z9.top
vyohacxzoue32vvk.ekll3z.top
cerberhhyed5frqa.azwsxe.win
vyohacxzoue32vvk.ttx0ig.top
qfjhpgbefuhenjp7.1bxzyr.top
vyohacxzoue32vvk.9f32tz.top
vyohacxzoue32vvk.cn1027.top
vyohacxzoue32vvk.6x202r.top
ubisortdasert.top
avsxrcoq2q5fgrw2.vbfyit.top
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 569
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2483
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1030
comments 0

What is Cerber malware?

Cerber is a Ransomware-as-a-service that does not require an attacker to be a skilled hacker to deploy it. Since its debut in 2016, it has been frequently updated to bypass signature-based detections.

It mostly arrives at the target network via phishing emails with malicious attachments (zipped .DOT files, Windows Script Files [WSF], or self-extracting archives). Some campaigns include password-protected attachments with the password provided in the email to bypass basic email filters.

Once inside a network, Cerber typically waits for an opportune moment (e.g., system reboot or user idle time) to execute, increasing its chances of going unnoticed initially. Then the malware scans local and network drives for specific file types (documents, databases, media). It encrypts the found files using AES-256 and RSA-2048 encryption.

Cerber ransomware analysis in the ANY.RUN Sandbox Analysis of Cerber Ransomware in the ANY.RUN sandbox

It deletes shadow copies of the decrypted files and disables recovery options; after the operations are finished, Cerber generates a ransom note and deletes its executable to minimize forensic evidence.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Cerber’s technical details

Cerber is equipped with advanced capabilities as it:

  • Creates scheduled tasks and registry modifications to ensure persistence.
  • Drops multiple copies of itself in %AppData%, %Temp%, or %LocalAppData%.
  • Scans local and network drives for data files and encrypts them with AES-256 and RSA-2048 algorithms.
  • Drops a ransom note (README.hta) in affected folders with instructions to pay in Bitcoin via a Tor-based payment portal. Some variants use voice-based ransom notes, playing an audio message demanding payment.
  • Uses PowerShell scripts and scheduled tasks to execute itself remotely.
  • Attempts to spread via SMB shares, infecting additional network points.
  • Cerber employs a number of advanced evasion tactics: code obfuscation, sandbox detection, dynamic domain generation, fileless execution (some strains use PowerShell scripts to execute directly in memory). It can encrypt files without an internet connection, preventing detection via network traffic analysis.
  • Cerber’s network traffic and code are encrypted, making it harder to intercept or analyze. Macroses in phishing attachments often include junk code to confuse detection tools.
  • For persistence, Cerber may establish itself in the system registry or running processes to ensure it reactivates after reboots.

Execution process of Cerber Ransomware

Let's use ANY.RUN's Interactive Sandbox to analyze a sample of the Cerber Ransomware to see how it operates.

Cerber ransomware uses a multi-stage execution chain, often starting with distribution via phishing emails. These emails typically include malicious attachments—either zipped Windows Script Files (WSF) or Microsoft Office files (.DOC or .DOCX). The WSF file directly installs Cerber, while the Office documents prompt users to enable macros, which then download and install the malware. Cerber has also been observed exploiting known vulnerabilities to gain initial access.

View sandbox analysis

Cerber ransomware analysis in ANY.RUN Process analysis of Cerber ransomware in ANY.RUN's Interactive Sandbox

Once executed, Cerber may check for specific mutexes to avoid reinfecting the same machine. In this case, the mutex is SHELL.{9C578142-9AC8-5286-EEAE-C741EB3192B8}, and the ransomware also created several additional mutexes. It checks the system’s country location and terminates if it detects an ex-USSR region. To evade detection, Cerber can configure Windows Firewall rules to block outbound traffic from security tools. Some versions add a time delay to the attack chain to evade sandbox analysis.

Cerber often reboots the system into Safe Mode with Networking, then back to normal mode before initiating the encryption process. It uses AES-256 and RSA to encrypt files, appends a custom extension, and renames files with randomly generated strings. In this analysis, the extension used was “.ae90.” Cerber stores ransom instructions locally, can change the desktop wallpaper, and launches a ransom note in HTA format using mshta.exe. Finally, it deletes its own file from the infected system to conceal its presence.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Cerber malware

Countering Cerber demands proactive threat hunting and protective measures. Leverage threat intelligence to track Cerber-related indicators of compromise like C2 domains & IPs, hashes of known Cerber variants, Tor-based payment portals used by attackers (e.g., port 6893 with specific packet structures like Machine GUID hashes).

Cerber ransomware results in ANY.RUN TI Lookup TI Lookup helps users collect fresh intel on Cerber Ransomware attacks

Threat Intelligence Lookup by ANY.RUN delivers fresh contextual data on IOCs and provides a selection of the malware’s samples in action detonated in the Interactive Sandbox. Learn more about TI Lookup.

TI Lookup search by a port typically engaged by Cerber gives a number of IOCs for further research: associated URLs, files, mutexes, etc.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Cerber Ransomware

  • The main method is phishing emails with malicious attachments. Fake invoices, job offers, or security alerts trick victims into downloading malicious Word or Excel files containing macros that drop Cerber.
  • Also used: malvertising and drive-by downloads, compromised websites and exploit kits targeting browser and software vulnerabilities.
  • Cerber is distributed via TrickBot and Dridex—malware families that serve as initial access brokers for ransomware operators.
  • Adversaries can brute-force RDP credentials to gain remote access, disable security tools, and manually deploy Cerber inside corporate networks.
  • Cerber as an RaaS is distributed by various cybercriminals who customize campaigns, making its delivery methods and sender addresses highly variable.
  • Cerber can spread laterally across a network, infecting shared drives and removable media.

Conclusion

Cerber stands out as a highly adaptive ransomware threat, blending traditional infection vectors with cutting-edge evasion techniques. Its danger lies in its ability to target both individuals and organizations, steal data, and disrupt operations while evading detection. By combining robust endpoint security, network monitoring, and real-time threat intelligence, defenders can detect and neutralize Cerber effectively.

Sign up for a free ANY.RUN account to access malware analysis and threat intelligence tools for your company

HAVE A LOOK AT

Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More