SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cerber (Back to overview)

Cerber

VTCollection    

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

References
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-06-16SophosLabs UncutAndrew Brandt
Confluence exploits used to drop ransomware on vulnerable servers
Cerber
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-09-01YouTube (Black Hat)Christian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?
Cerber Pony
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-05-06Black HatChristian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover
Cerber Pony
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-06-12GdataKarsten Hahn
Ransomware identification for the judicious analyst
Cerber Cryptowall CryptoFortress Locky PadCrypt Spora VirLock
2018-08-06rinse and REpeat analysisJames Haughom
Reversing Cerber - RaaS
Cerber
2018-07-26IEEE Symposium on Security and Privacy (SP)Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca Invernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2017-12-11United States Department of JusticeUnited States Department of Justice
United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU
Cerber Dharma
2017-12-01Check PointNeomi Rona, Stanislav Skuratovich
Nine circles of Cerber
Cerber
2017-03-28Trend MicroGilbert Sison
Cerber Starts Evading Machine Learning
Cerber
2016-03-11Malwarebyteshasherezade
Cerber ransomware: new, but mature
Cerber
Yara Rules
[TLP:WHITE] win_cerber_auto (20260504 | Detects win.cerber.)
rule win_cerber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cerber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33da 8b9034ffffff 235054 89b840010000 8bb8b8000000 23b8a0000000 899844010000 }
            // n = 7, score = 1200
            //   33da                 | xor                 ebx, edx
            //   8b9034ffffff         | mov                 edx, dword ptr [eax - 0xcc]
            //   235054               | and                 edx, dword ptr [eax + 0x54]
            //   89b840010000         | mov                 dword ptr [eax + 0x140], edi
            //   8bb8b8000000         | mov                 edi, dword ptr [eax + 0xb8]
            //   23b8a0000000         | and                 edi, dword ptr [eax + 0xa0]
            //   899844010000         | mov                 dword ptr [eax + 0x144], ebx

        $sequence_1 = { 59 8b45ec ff4de8 836df004 8345e004 836dec04 837de800 }
            // n = 7, score = 1200
            //   59                   | pop                 ecx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   ff4de8               | dec                 dword ptr [ebp - 0x18]
            //   836df004             | sub                 dword ptr [ebp - 0x10], 4
            //   8345e004             | add                 dword ptr [ebp - 0x20], 4
            //   836dec04             | sub                 dword ptr [ebp - 0x14], 4
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0

        $sequence_2 = { 51 33c0 53 3bf0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   3bf0                 | cmp                 esi, eax

        $sequence_3 = { 0bf2 0fa4ce10 c1e110 99 0bc8 8b4524 }
            // n = 6, score = 1200
            //   0bf2                 | or                  esi, edx
            //   0fa4ce10             | shld                esi, ecx, 0x10
            //   c1e110               | shl                 ecx, 0x10
            //   99                   | cdq                 
            //   0bc8                 | or                  ecx, eax
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]

        $sequence_4 = { 7504 6a05 ebee 394508 }
            // n = 4, score = 1200
            //   7504                 | jne                 6
            //   6a05                 | push                5
            //   ebee                 | jmp                 0xfffffff0
            //   394508               | cmp                 dword ptr [ebp + 8], eax

        $sequence_5 = { 83c704 ff4dfc 75dd 8b4510 5f 5e 5b }
            // n = 7, score = 1200
            //   83c704               | add                 edi, 4
            //   ff4dfc               | dec                 dword ptr [ebp - 4]
            //   75dd                 | jne                 0xffffffdf
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_6 = { 33da 8b9044ffffff 235064 894de0 8b88d4000000 894de4 }
            // n = 6, score = 1200
            //   33da                 | xor                 ebx, edx
            //   8b9044ffffff         | mov                 edx, dword ptr [eax - 0xbc]
            //   235064               | and                 edx, dword ptr [eax + 0x64]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b88d4000000         | mov                 ecx, dword ptr [eax + 0xd4]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_7 = { 33da 8b902cffffff 23504c 89b838010000 8b7de8 23fe 8b75ec }
            // n = 7, score = 1200
            //   33da                 | xor                 ebx, edx
            //   8b902cffffff         | mov                 edx, dword ptr [eax - 0xd4]
            //   23504c               | and                 edx, dword ptr [eax + 0x4c]
            //   89b838010000         | mov                 dword ptr [eax + 0x138], edi
            //   8b7de8               | mov                 edi, dword ptr [ebp - 0x18]
            //   23fe                 | and                 edi, esi
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules