Cerber (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.cerber (Back to overview)

Cerber

VTCollection

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

References

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2022-06-16 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
Confluence exploits used to drop ransomware on vulnerable servers
Cerber

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2021-10-05 ⋅ Trend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Christian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?
Cerber Pony

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-05-06 ⋅ Black Hat ⋅ Christian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover
Cerber Pony

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2019-06-12 ⋅ Gdata ⋅ Karsten Hahn
Ransomware identification for the judicious analyst
Cerber Cryptowall CryptoFortress Locky PadCrypt Spora VirLock

2018-08-06 ⋅ rinse and REpeat analysis ⋅ James Haughom
Reversing Cerber - RaaS
Cerber

2018-07-26 ⋅ IEEE Symposium on Security and Privacy (SP) ⋅ Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca Invernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor

2017-12-11 ⋅ United States Department of Justice ⋅ United States Department of Justice
United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU
Cerber Dharma

2017-12-01 ⋅ Check Point ⋅ Neomi Rona, Stanislav Skuratovich
Nine circles of Cerber
Cerber

2017-03-28 ⋅ Trend Micro ⋅ Gilbert Sison
Cerber Starts Evading Machine Learning
Cerber

2016-03-11 ⋅ Malwarebytes ⋅ hasherezade
Cerber ransomware: new, but mature
Cerber

Yara Rules

[TLP:WHITE] win_cerber_auto (20251219 | Detects win.cerber.)

rule win_cerber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.cerber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8345fc04 8901 ff45f8 8b45f8 }
            // n = 4, score = 1200
            //   8345fc04             | add                 dword ptr [ebp - 4], 4
            //   8901                 | mov                 dword ptr [ecx], eax
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_1 = { 8b5508 2bd7 8955f4 8975fc }
            // n = 4, score = 1200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   2bd7                 | sub                 edx, edi
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi

        $sequence_2 = { 59 84c0 7413 8b450c 56 ff7508 8b7510 }
            // n = 7, score = 1200
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   7413                 | je                  0x15
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

        $sequence_3 = { 833c8100 7505 85c0 75f1 c3 40 }
            // n = 6, score = 1200
            //   833c8100             | cmp                 dword ptr [ecx + eax*4], 0
            //   7505                 | jne                 7
            //   85c0                 | test                eax, eax
            //   75f1                 | jne                 0xfffffff3
            //   c3                   | ret                 
            //   40                   | inc                 eax

        $sequence_4 = { 8b550c 8b4510 b900100000 2b8e7c3b0000 33db 2b55fc 1bc3 }
            // n = 7, score = 1200
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   b900100000           | mov                 ecx, 0x1000
            //   2b8e7c3b0000         | sub                 ecx, dword ptr [esi + 0x3b7c]
            //   33db                 | xor                 ebx, ebx
            //   2b55fc               | sub                 edx, dword ptr [ebp - 4]
            //   1bc3                 | sbb                 eax, ebx

        $sequence_5 = { 7709 39450c 0f86dc000000 8b550c 8b4510 }
            // n = 5, score = 1200
            //   7709                 | ja                  0xb
            //   39450c               | cmp                 dword ptr [ebp + 0xc], eax
            //   0f86dc000000         | jbe                 0xe2
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_6 = { 6a00 50 e8???????? 8b4df0 83c40c 85c9 7e58 }
            // n = 7, score = 1200
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   83c40c               | add                 esp, 0xc
            //   85c9                 | test                ecx, ecx
            //   7e58                 | jle                 0x5a

        $sequence_7 = { 7433 8b7d0c 8b5508 2bd7 8955f4 8975fc }
            // n = 6, score = 1200
            //   7433                 | je                  0x35
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   2bd7                 | sub                 edx, edi
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi

        $sequence_8 = { 762e 85d2 7838 8b4508 8b04b8 83651400 837d1420 }
            // n = 7, score = 1200
            //   762e                 | jbe                 0x30
            //   85d2                 | test                edx, edx
            //   7838                 | js                  0x3a
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b04b8               | mov                 eax, dword ptr [eax + edi*4]
            //   83651400             | and                 dword ptr [ebp + 0x14], 0
            //   837d1420             | cmp                 dword ptr [ebp + 0x14], 0x20

        $sequence_9 = { 3b7d0c 72d2 85d2 780a }
            // n = 4, score = 1200
            //   3b7d0c               | cmp                 edi, dword ptr [ebp + 0xc]
            //   72d2                 | jb                  0xffffffd4
            //   85d2                 | test                edx, edx
            //   780a                 | js                  0xc

    condition:
        7 of them and filesize < 573440
}

Download all Yara Rules

Cerber Propose Change

References

Yara Rules

Cerber