What is Cerber ransomware and how to protect against it

Cerber ransomware is offered as a service to other hackers. The creators of the malware have created a user portal for it. This enables others to sign up as an affiliate and launch a ransomware attack without copying over the code and hosting it.

The Cerber strategy is called Ransomware-as-a-Service (RaaS). It relieves associate hackers from hosting the ransomware distributor, so they don’t worry about covering over connection records. In addition, the Cerber hackers take a 40 percent cut of the ransom that the associate gains by using the system.

There are many benefits for the associate when using a RaaS system, but why wouldn’t the Cerber group launch attacks with their software themselves and keep all of the ransom? The creators of Cerber decided that they didn’t want all of the workloads of seeking out marks and the trouble of trying to get access credentials.

By making their ransomware available to others, they can reap the rewards of the efforts of many other hard-working hackers. They remove the risk of those associates screwing them out of their cut by not allowing the code to leave their servers. The controllers of Cerber can log all of its activity and choose to withhold the decryption key if the associates don’t pay up.

About Cerber ransomware

Cerber ransomware first appeared in March 2016. This is quite a long time ago and makes it one of the oldest ransomware systems around. Little is known about the owners of Cerber – none of them have ever been arrested or even identified. However, the RaaS is advertised in Russian on Russian Dark Web forums, so it is reasonable to assume that the team behind Cerber is based in Russia.

Like a lot of Russian malware, Cerber won’t launch if it lands on a target in Russia or any of the former Soviet Union countries that didn’t join the EU – Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. This is probably not out of nationalism but because the Russian authorities won’t arrest hackers as long as they don’t launch attacks within the country or its allied nations.

Cerber was very active in 2016 and 2017 and then seemed to disappear. However, you shouldn’t relax just yet because it came back again in January 2020. Cerber has been through many variants, and some earlier versions can be cracked with decryptors available for free. However, the latest version doesn’t have a simple solution.

The ransom demand for Cerber is relatively low compared to many ransomware systems. However, it is not very well organized given that so many different hackers launch Cerber attacks. This reduces the likelihood that the decryptor will be delivered to those who pay the ransom.

How does a Cerber attack start?

Cerber platform affiliates have options over how they get access to target systems. The split in specialty between the attack software and the controlling hacker means that the affiliate program is suitable for hackers with specialist skills in phishing or profiling. It is also ideal for those who are prepared to pay for lists of emails.

The main entry point for the Cerber ransomware is via an infected attachment to a phishing email. Other methods include a download disguised as a helpful program, malware disguised as media propagated through torrent systems, or direct manual transfers through stolen credentials.

Some hackers using the Cerber RaaS are very skilled con artists and will approach targets through social media and charm credentials. This is the type of operation that the creators of Cerber need but do not have the interest or time to implement themselves. This is why they are willing to make their attack software available to others.

What happens in a Cerber ransomware attack?

One good attribute of Cerber is that its attack implements as soon as the dropper has been downloaded onto a target computer. This means that it doesn’t have a stealth phase that spreads it around a network. There aren’t many attempts at lateral movement. The primary victim of an attack is the system onto which the malware is installed. So, the damage of Cerber can be quickly contained by identifying the presence of the software soon.

Cerber will encrypt files on the host computer and any network drives to which that computer is connected and shared drives. The executable for the encryption is saved on the Local App Data or App Data directory with a randomly selected name taken from the real applications installed on the device.

The Cerber ransomware will encrypt all working files, such as documents, text files, audio, video, and image files. It also encrypts database storage files. It doesn’t encrypt executables, so it will still be possible to use the computer after the attack. As Each file is encrypted, its name is changed by the addition of an extra extension. The exact extension use by Cerber ransomware has changed over time with the development of new versions. After using .cerber, .cerber2, and .cerber3, the developers settled on a string of four random characters, such as .r4t5 or .dx56.

An AES cipher encrypts files with a 256-bit key. This key is generated on the victim’s computer and protected by RSA encryption with a 2048-bit key. AES encryption is an asymmetric cipher – the encryption and decryption keys are different. You cannot derive the decryption key if you know the encryption key, so it is unnecessary to keep the encryption key secret. The encryption key is called the public key, and the decryption key is the private key.

The Cerber ransom

After completing the file encryption process, the Cerber ransomware leaves several ransom notes. One of these is in HTA and is activated to display on the screen. There is also an audio file available, which speaks to the ransom demand.

The ransom, in 2016, was 1 Bitcoin. The victim had seven days to pay, and then the ransom doubled. The ransom note instructs the victim to install a Tor browser and gives the address of a generated page specific to that attack. The victim is then able to pay through that page. A successful transaction results in the victim being sent the private key for the RSA encryption. This unlocks the AES key, which can be used to decrypt all files.

Preventing Cerber ransomware attacks

The prime targets of Cerber ransomware are endpoints – specifically desktops and laptops rather than servers. This means that your primary defenses should focus on user education and endpoint protection. The malware gets onto devices because users are tricked into installing it. Thus, warning users about infected attachments or malicious links is a worthwhile exercise.

If your business is required to comply with a data privacy standard, the opportunities for data theft that are built into a Cerber attack and the ransomware means that this malware could seriously damage your business’s economic viability. Thus, if you need to comply with PCI DSS, HIPAA, or GDPR, you should also invest in sensitive data protection systems.

Cerber will delete all shadow copies of files – these are the autosave versions. However, it doesn’t travel across a network and infect other devices. So, this means that your backup stores are relatively safe. Another systemic weakness of Cerber is that data disclosure is not part of its master strategy. This means that as long as you run an intelligent backup system, you can afford to ignore the ransom demands and just restore encrypted files from your saved copies.

Be aware that Cerber isn’t the only ransomware that you need to plan protection against. Other systems will try to get onto your servers. In addition, some ransomware will delay activation while replication modules copy the encryption software across the network. Therefore, in order to fully protect backups, you need to combine malware scanning with each backup cycle.

Here are four secure systems that you should consider installing:

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response system (EDR). It focuses protection on endpoints, which is the perfect strategy for defense against Cerber ransomware.

Key Features:

  • Dual-level
  • Local antivirus
  • Cloud-based controller
  • Private threat intelligence
  • Blocks lateral movement

Why do we recommend it?

CrowdStrike Falcon Insight is a multi-level package that provides antivirus servers on each endpoint and a cloud-based SIEM that operates on data uploaded by the endpoint system. The endpoint unit will continue to operate if the device is disconnected from the network and the SIEM acts as a private threat intelligence system, preventing lateral movement.

Rather than just being an antivirus system, this package adds enterprise-wide defense coordination to the device-resident protection software. This system protection is provided by a cloud-based service that collects activity reports from each endpoint agent.

The endpoint defense software is available as a standalone package, called CrowdStrike Falcon Prevent. It is the cloud service that transforms many installations of Falcon prevent into Falcon Insight.

The cloud service works as a SIEM, searching through log data uploaded from the endpoints for indicators of compromise. This is a secondary defense because the endpoint agents are more than just data collectors; they have a complete defense system built into them. This double protection strategy enables CrowdStrike Falcon to offer complete system protection, and it can also cope with zero-day attacks.

Who is it recommended for?

The CrowdStrike system keeps vigil on each device and also warns all devices if one is attacked. Thus, ransomware is unable to spread throughout your organization and is contained on one device. Remediating that problem is a lot easier than having to restore every single endpoint.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc.)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

You can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is designed to protect sensitive data. This is essential for businesses that need to comply with data protection standards, such as GDPR, HIPAA, and PCI DSS. In addition, the service includes a file integrity monitor that will spot and block file encryption as soon as it starts. So, his is an excellent service to protect against ransomware, including Cerber.

Key Features:

  • Data loss prevention
  • Compliance reporting
  • File integrity monitoring
  • Covers on-premises servers and cloud platforms

Why do we recommend it?

ManageEngine DataSecurity Plus is a protection system for sensitive data but its file integrity monitoring and server activity monitoring services will spot any file name changes, which occur at the beginning of the ransomware encryption process. Blocking the process that performs that action and disconnecting the device from the network stops the ransomware.

The DataSecurity Plus system includes a data discovery service and a sensitive data classifier. It focuses defenses on sensitive data stores and logs all activities to provide an audit trail for compliance.

Who is it recommended for?

This system is a large package that is organized into four modules, which are all charged for individually. Not all businesses will need all of the modules, so it would be possible to reduce the cost of the protection system by identifying precisely which modules are needed. It will particularly appeal to businesses that manage sensitive data.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools


This is an on-premises package that installs on Windows Server. DataSecurity Plus is available for a 30-day free trial.

3. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone covers all aspects of malware detection and protection and also includes a backup service.

Key Features:

  • On-device antivirus
  • Integrated firewall
  • Vulnerability scanner and patch manager

Why do we recommend it?

BitDefender GravityZone is an anti-virus system and firewall for endpoints that has special routines for ransomware detection and mitigation. The package includes a backup system for data files and that enables all data to be restored after detected ransomware has been shut down. Higher plans include allowlisting, which prevents all but approved software from activating.

The GravityZone service watches over all parts of your system, including endpoints, which are particularly vulnerable to Cerber ransomware attacks. The bundle of security services also includes a vulnerability scanner and a linked patch manager. These modules ensure that the ports, operating systems, and software packages are free from the exploits that will help malware get onto your system.

No matter how tight your security is, you can do little to prevent users from being duped into performing actions on behalf of con artists. So, you also need to make sure that you sweep for viruses at every point of your system. This is what GravityZone does. It protects all possible entry points, such as gateways and endpoints. Crucially, it also scans files for infection before uploading them to backup servers.

Who is it recommended for?

GravityZone is available in three editions with a Small Businesses service as the entry point. The higher plans have many more features. However, the ransomware is included in all three plans. That makes the ransomware protection and recovery services of this package accessible for all sizes of businesses.


  • Simple UI reduces the learning curve and helps users gain insights faster
  • Uses both signature-based detection and behavior analysis to identify threats
  • Offers disc encryption on top of endpoint protection
  • Includes device control options for locking down USB ports


  • Could use more documentation to help users get started quicker

Other essential elements of this security bundle are file integrity monitoring and automated responses. The software for BitDefender GravityZone runs as a virtual appliance, and it is available for a one-month free trial.

4. Acronis Cyber Protect

Acronis Cyber Protect

Acronis Cyber Protect includes a backup system, a vulnerability scanner, and a threat-protection system.

Key Features:

  • Antivirus
  • Backup and recovery
  • Editions for different business types

Why do we recommend it?

Acronis Cyber Protect is a combination of antivirus and backup and recovery. This is the ideal combination of systems to deal with ransomware. The system also assesses URLs to block access to infected or fake sites. Other units in the package are a vulnerability scanner and a patch manager.

The backup service covers physical and virtual systems, and it can perform complete backups of servers down to the bare metal. It will manage the backup of Windows Server and Linux. Backups can be made to other devices on-premises, to cloud storage systems, or both. You can choose your cloud platform to host the backup store, and Acronis offers a cloud backup storage service as an optional extra.

The vulnerability manager identifies software weaknesses and can patch out-of-date OSs and software. However, you also need full virus and intrusion defenses, so the threat detection system in the Acronis bundle is essential.

Who is it recommended for?

Acronis produces Cyber Protect in several editions, each of which caters to a different size and type of business. These range from a package for home offices up to a service for managed service providers. So, this system has a very wide market of potential customers.


  • Can clone via scripts and automated scheduling
  • Ideal for enterprise environments
  • Is easy to use without sacrificing advanced features
  • Available for Windows and Mac, a great cross-platform solution


  • Advanced features may take time to fully learn and utilize

This is a cloud-based system that requires an agent program to be installed on your site. Acronis offers Cyber Protect a 30-day free trial.