What is Cerber malware?

Cerber is a Ransomware-as-a-service that does not require an attacker to be a skilled hacker to deploy it. Since its debut in 2016, it has been frequently updated to bypass signature-based detections.

It mostly arrives at the target network via phishing emails with malicious attachments (zipped .DOT files, Windows Script Files [WSF], or self-extracting archives). Some campaigns include password-protected attachments with the password provided in the email to bypass basic email filters.

Once inside a network, Cerber typically waits for an opportune moment (e.g., system reboot or user idle time) to execute, increasing its chances of going unnoticed initially. Then the malware scans local and network drives for specific file types (documents, databases, media). It encrypts the found files using AES-256 and RSA-2048 encryption.

Analysis of Cerber Ransomware in the ANY.RUN sandbox

It deletes shadow copies of the decrypted files and disables recovery options; after the operations are finished, Cerber generates a ransom note and deletes its executable to minimize forensic evidence.

Cerber’s technical details

Cerber is equipped with advanced capabilities as it:

• Creates scheduled tasks and registry modifications to ensure persistence.
• Drops multiple copies of itself in %AppData%, %Temp%, or %LocalAppData%.
• Scans local and network drives for data files and encrypts them with AES-256 and RSA-2048 algorithms.
• Drops a ransom note (README.hta) in affected folders with instructions to pay in Bitcoin via a Tor-based payment portal. Some variants use voice-based ransom notes, playing an audio message demanding payment.
• Uses PowerShell scripts and scheduled tasks to execute itself remotely.
• Attempts to spread via SMB shares, infecting additional network points.
• Cerber employs a number of advanced evasion tactics: code obfuscation, sandbox detection, dynamic domain generation, fileless execution (some strains use PowerShell scripts to execute directly in memory). It can encrypt files without an internet connection, preventing detection via network traffic analysis.
• Cerber’s network traffic and code are encrypted, making it harder to intercept or analyze. Macroses in phishing attachments often include junk code to confuse detection tools.
• For persistence, Cerber may establish itself in the system registry or running processes to ensure it reactivates after reboots.

Execution process of Cerber Ransomware

Let's use ANY.RUN's Interactive Sandbox to analyze a sample of the Cerber Ransomware to see how it operates.

Cerber ransomware uses a multi-stage execution chain, often starting with distribution via phishing emails. These emails typically include malicious attachments—either zipped Windows Script Files (WSF) or Microsoft Office files (.DOC or .DOCX). The WSF file directly installs Cerber, while the Office documents prompt users to enable macros, which then download and install the malware. Cerber has also been observed exploiting known vulnerabilities to gain initial access.

View sandbox analysis

Process analysis of Cerber ransomware in ANY.RUN's Interactive Sandbox

Once executed, Cerber may check for specific mutexes to avoid reinfecting the same machine. In this case, the mutex is SHELL.{9C578142-9AC8-5286-EEAE-C741EB3192B8}, and the ransomware also created several additional mutexes. It checks the system’s country location and terminates if it detects an ex-USSR region. To evade detection, Cerber can configure Windows Firewall rules to block outbound traffic from security tools. Some versions add a time delay to the attack chain to evade sandbox analysis.

Cerber often reboots the system into Safe Mode with Networking, then back to normal mode before initiating the encryption process. It uses AES-256 and RSA to encrypt files, appends a custom extension, and renames files with randomly generated strings. In this analysis, the extension used was “.ae90.” Cerber stores ransom instructions locally, can change the desktop wallpaper, and launches a ransom note in HTA format using mshta.exe. Finally, it deletes its own file from the infected system to conceal its presence.

Gathering threat intelligence on Cerber malware

Countering Cerber demands proactive threat hunting and protective measures. Leverage threat intelligence to track Cerber-related indicators of compromise like C2 domains & IPs, hashes of known Cerber variants, Tor-based payment portals used by attackers (e.g., port 6893 with specific packet structures like Machine GUID hashes).

TI Lookup helps users collect fresh intel on Cerber Ransomware attacks

Threat Intelligence Lookup by ANY.RUN delivers fresh contextual data on IOCs and provides a selection of the malware’s samples in action detonated in the Interactive Sandbox. Learn more about TI Lookup.

TI Lookup search by a port typically engaged by Cerber gives a number of IOCs for further research: associated URLs, files, mutexes, etc.

Distribution methods of Cerber Ransomware

• The main method is phishing emails with malicious attachments. Fake invoices, job offers, or security alerts trick victims into downloading malicious Word or Excel files containing macros that drop Cerber.
• Also used: malvertising and drive-by downloads, compromised websites and exploit kits targeting browser and software vulnerabilities.
• Cerber is distributed via TrickBot and Dridex—malware families that serve as initial access brokers for ransomware operators.
• Adversaries can brute-force RDP credentials to gain remote access, disable security tools, and manually deploy Cerber inside corporate networks.
• Cerber as an RaaS is distributed by various cybercriminals who customize campaigns, making its delivery methods and sender addresses highly variable.
• Cerber can spread laterally across a network, infecting shared drives and removable media.

Conclusion

Cerber stands out as a highly adaptive ransomware threat, blending traditional infection vectors with cutting-edge evasion techniques. Its danger lies in its ability to target both individuals and organizations, steal data, and disrupt operations while evading detection. By combining robust endpoint security, network monitoring, and real-time threat intelligence, defenders can detect and neutralize Cerber effectively.

Sign up for a free ANY.RUN account to access malware analysis and threat intelligence tools for your company