Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Cerber Ransomware Speaks to Victims

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

Dubbed Cerber, the threat appeared on the threat landscape about a week ago and is said to employ functionality typically found in ransomware. Cerber encrypts a victim’s files using AES-256 encryption, and encrypts the file’s name, and then adds the .CERBER extension to it. Cerber targets a wide array of file extensions, but avoids those named bootsect.bak, iconcache.db, thumbs.db, or wallet.dat, according Bleeping Computer’s Lawrence Abrams

Furthermore, as Abrams explains, the malware also files with full pathnames that include a specific set of strings. Similar to the Locky ransomware, the new malicious application scans all accessible network shares on the network, including unmapped Windows shares, and encrypts any data that is found on them.

At first run, the ransomware checks whether the computer is located in one of the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan, and terminates itself if it is. Otherwise, it installs itself in the AppData folder and names itself after a random Windows executable.

The ransomware also configures Windows to automatically boot into Safe Mode with Networking on the next reboot and also configures itself to automatically start when the user logs into Windows, to run as screensaver, and to execute itself once every minute. Each time it is executed, Cerber displays a fake system alert and begins a reboot process and continues displaying them until the reboot is performed.

Once the reboot is initiated, the computer boots into Safe Mode with Networking and, once the user logs in, it reboots again in normal mode. As soon as the second reboot is completed, the ransomware, which uses a JSON configuration file for its settings, executes itself and starts encrypting the victim’s files.

After encrypting files, the ransomware creates 3 ransom notes on the user’s desktop and in every folder that it has encrypted: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These are ransom notes that contain info on what happened to user’s data and links to the Tor decryption service where the user can pay a ransom and retrieve the decryptor.

Researchers also discovered that the # DECRYPT MY FILES #.vbs file contains VBScript, which causes the computer to “speak” to the victim. The file includes a message stating that the user’s files have been encrypted, and the message is repeated numerous times.

The ransom notes link to the decrypttozxybarc.onion Tor site named Cerber Decryptor, where users can make payments and retrieve the decryptor keys. The site is available in 12 languages, includes a captcha, and provides users with details on how to pay the ransom, the ransom amount (1.24 bitcoins or around $500), and that the ransom should be paid in 7 days, otherwise it will double.

For the time being there is no way to decrypt files for free, and affected users are advised to restore their files from a backup.

Also of importance is the fact that Cerber is currently offered as a service on a closed underground Russian forum. While details on how the malware is being distributed are not available at the moment, the fact that it is Ransomware as a Service, or RaaS, means that even cybercriminals without advanced computer skills can use it to attack users.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.