Cerber Ransomware Is on the Rise

By   muhammad malik
Chief Editor , Information Security Buzz | Apr 17, 2016 06:30 pm PST

In the world of computers, viruses are not an uncommon thing to hear. Viruses are to computers what infections are to humans. Infections can make you sick and often impair you from taking part in your normal daily routines as usual. When viruses hit your computer, its daily routines are also affected. Simple things such as accessing the Internet, opening a document can become problematic.

It is thus crucial for one to be aware of the different types of viruses that are capable of attacking your computer system. Understanding what a specific virus is will thus be the first step in detecting one when an attack is launched.


One might guess that the term Cerber is closely related to the mythological Cerberus, the Greek dog that had three heads and that guarded the gates of the underworld such that the dead were allowed entry while none was granted exit.  Somehow using this fashion, the Cerber ransomware acts by allowing you to boot your system, but not to the point where you can access and use your files.

Cerber ransomware is not a new kind of malware but is actually an encryption ransomware type that encrypts the data files of a targeted computer with AES-256 encryption, adding the .cerber extinction to the file names. Wide arrays of file extensions are targeted by the malware but file extensions like bootsect.bak, thumbs.db, iconcache.db, and wallet.db are exempted from the encryption.

Once the malware is downloaded into the targeted computer, it first checks to make sure that the computer is not located in some selected European countries, and these are also exempted from the attack. It then installs itself into the Applications data folder, thereby giving itself a random windows executable. After confirming that these countries are absent from the given list, the malware proceeds to attack by adding a configuration in the operating system that makes the computer start up, but only in safe mode.

This configuration also restricts how the boot sequence operates. Instead of the boot proceeding to completion and allowing you to access your computer desktop, the computer is forced to re-boot. This is made possible by the availability of a false system message written in the rogue code that tells the computer user that something’s not right and that the computer has to start up again.

Upon the second start up, the boot sequence goes through with no hitches. This is now when the malware executes itself to encrypt the attacked computer’s files using a JSON configuration for its setting. When the computer owner gets to his desktop, he will see a message stating that his files were encrypted and that he would need to pay some amount to purchase the decryption key. The files that will come under attack are mostly text files (.txt), HTML files (.html) and Visual Basic Scripting files (.vbs).

The message presented is in the form of notes, which also have a link to the site where the victim is expected to pay a specified amount of money for them to obtain the keys with which to decrypt the files. The ransom amount is paid with 1.24 Bitcoins which are equivalent to $500.  To speed up the payments, the malware attackers have given a deadline of seven days within which the payment is to be made, failure to which will lead to the doubling of the ransom amount.

Currently, the risk of getting your computer system under attack is increasing due to the fact that Cerber is being sold as Ransomware as a Service (RaaS) by underground forums in Russia. This means that cybercriminals, as well as other criminals with little knowledge on encryption and other technical computer functions, can easily purchase and launch attacks on vulnerable computer systems.


It is highly recommended that you strengthen your network shares security to limit the malware from spreading through the network. It is also highly recommended that you conduct regular data backups and follow the good old advice of deleting without clicking any suspicious files sent to your email, ignoring any unknown links to sites on the Internet and also having your antivirus software updated regularly to keep out rogue code form your computer system. Regular backups are in fact a sure way of dealing with Cerber ransomware since you won’t have to pay the attackers, but to just load your files again from the backup.

Experienced malware researches are currently collecting samples of the malware for analysis in order to come up with a way to help victims decrypt their files without paying the malware attackers.

[su_box title=”About David Balaban” style=”noise” box_color=”#336588″][short_info id=”64625″ desc=”true” all=”false”][/su_box]

Recent Posts