{ "id": "e2400e71-665b-4618-a0a4-b04f1c03d55f", "created_at": "2026-04-06T00:19:10.622993Z", "updated_at": "2026-04-10T03:36:25.370481Z", "deleted_at": null, "sha1_hash": "256f89f1dac8177b0065ab4949c4f2f732f3cf5e", "title": "Cerber ransomware: new, but mature", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 749778, "plain_text": "Cerber ransomware: new, but mature\r\nBy hasherezade\r\nPublished: 2016-03-10 · Archived: 2026-04-05 20:32:16 UTC\r\nRansomware authors seem to love mythological creatures. We have seen Chimera, now we will take a look at\r\nCerber. Both are named after powerful beasts and both are prepared in a professional way. As SenseCy states\r\n(source), Cerber is sold to distributors on underground Russian forums.\r\nThis malware is often distributed via Exploit Kits (read more here).\r\nUPDATE: Checkpoint released a decryption tool working for some cases of Cerber\r\nAnalyzed samples\r\nf5146a3bbe6c71e5a0ef2f04f955b1a1\r\n2f7059d7b1dda3080e391d99788fff18\r\npayload: 9a7f87c91bf7e602055a5503e80e2313 \u003c- main focus of this analysis\r\nBehavioral analysis\r\nAfter being deployed it disappears and runs its dropped copy (renamed to [a random word].exe from the hidden\r\nfolder created in %APPDATA%. Name of the folder is specific to a particular sample – in the analyzed one it is:\r\n{BD674CFA-429A-0ACF-A3F2-C895D363964E}.\r\nSome observed file names: csrstub.exe, dinotify.exe, ndadmin.exe, setx.exe, rasdial.exe, RelPost.exe, ntkrnlpa.exe\r\nThe dropped file has an edited creation timestamp.\r\nIt also creates a link to the dropped malware in:  %APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 1 of 14\n\nLooking via Process Explorer we can see the dropped sample deploying new instances (it is used in order to\r\ndivide the work of encrypting files).\r\nRegistry keys\r\nThe malware makes changes in the Windows registry.\r\nTwo entries (Component_00, Component_01) are dropped in PrintersDefaults:\r\nCompont_01 contains some binary data in base64:\r\nRegistry keys for the persistance are added in various places, i.e:\r\nHKEY_USERS -\u003e [current user’s SID]:\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Run”\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce”\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer” -\u003e “Run”\r\n“Software\\Microsoft\\Command Processor” -\u003e “AutoRun”\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 2 of 14\n\nHowever, when the encryption finishes successfully, the dropped sample is deleted.\r\nEncryption process\r\nCerber can encrypt files in offline mode – it means it doesn’t need to fetch the key from the CnC server. Files that\r\nhave been encrypted are fully renamed and appended with the extension typical for this ransomware: .cerber.\r\nPattern of the name: [0-9a-zA-Z_-]{10}.cerber\r\nThe encrypted content has a high level of entropy and no patterns are visible. Below: visualization of bytes of\r\nsquare.bmp : left – original, right encrypted with Cerber:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 3 of 14\n\nContent of the encrypted file is different on every encryption – probably keys are dynamically generated. After\r\nencryption size of the file content is increased about 384 bytes* – it may suggest, that the RSA encrypted AES key\r\nis appended to the file (*depending on the file this value may vary a bit, probably because of various padding).\r\nAfter executing it displays a ransom note in two forms: HTML and TXT. The note is available only in English.\r\nExample below:\r\nC E R B E R\r\nYour documents, photos, databases and other important files have been encrypted!\r\nAt the bottom of the ransom note attackers added a quote in Latin: «…Quod me non necat me fortiorem facit.»\r\n(“What doesn’t kill me, makes me stronger”). We can only speculate what they wanted to convey – to share their\r\nown motto, or to console the victim of the attack?\r\nIt comes also with a VB macro that is supposed to speak up the message with the help of a local text-to-speech\r\nemulator:\r\nSet SAPI = CreateObject(\"SAPI.SpVoice\") SAPI.Speak \"Attention! Attention! Attention!\" For i = 1 to 5\r\nWebsite for the victim\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 4 of 14\n\nEach victim has a Web page that can be accessed via Tor. Although the ransom note is available only in English,\r\nthe Tor website can be customized to several languages:\r\nThese pages contain further instructions to the victim and support for managing payments. The time to an increase\r\nin the ransom price is counted from the first access to this website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 5 of 14\n\nTo decrypt your files you need to buy the special software - \u003c\u003e.\r\nNetwork communication\r\nCerber can manage well without CnC and accomplish its task offline. However, if given opportunity, it can\r\ncommunicate with CnC in order to send statistics from encryption process.\r\nFirst, it fetches geolocation info (in JSON format) of the local computer by querying a genuine service:\r\nhttp:/ipinfo.io/json\r\nThen, we can observe sending UDP requests to a predefined range of IP addresses:\r\nInside\r\nCerber samples come packed by some crypters/FUDs, so the code is not readable at first. Even when we unpack\r\nthe core (i.e. 9a7f87c91bf7e602055a5503e80e2313), only a few strings are readable. It is caused by the fact that\r\nthe authors decided to encrypt the strings and decrypt them just before the usage. Example:\r\nThe decrypting function takes the following parameters:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 6 of 14\n\ndecrypt_string(char* input_buffer, DWORD input_lenght, DWORD key, BOOL is_unicode)\r\nOne of the few strings that hasn’t been encrypted was a check against anti-malware vendors (one of them is\r\nMalwarebytes). The list of vendors is in JSON – this format have been used extensively by Cerber.\r\nAnother interesting unencrypted string was a log, showing the statistics from encryption (the feature used if the\r\nmalware is deployed in the debug mode):\r\nConfiguration file\r\nCerber comes with an encrypted resource, stored as RC Data. It is decrypted by a dedicated function:\r\nAfter decryption, it turns out to be a configuration in JSON format (you can see it full here):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 7 of 14\n\nConfiguration is rich in options. Contains i.e:\r\na blacklist used to exclude some countries, languages, file names and directories from the attack\r\na list of attacked extensions\r\nenvironment checks that are enabled\r\nwhether or not to deploy the sample in a debug mode\r\nencryption settings and output extension\r\npublic RSA key in base64 (decoded).\r\nfiles with ransom note to be dropped\r\nlist of services used to obtain geolocation\r\nrange of IPs where to send statistics (compare with IPs described in the section ‘Network communication’)\r\nformat of statistics to be sent\r\nDistributors can customize many things with the help of the config file. Changing the full look-and-feel of the\r\nmalware – attacked extensions, ransom note and even extension of encrypted files – can make it appear like a new\r\nproduct. This flexibility made me wonder if the same package is not being distributed in a different campaign –\r\nnot as a Cerber, but under some other name.\r\nThe distributor of the analyzed sample decided to exclude several countries form the attack (Armenia, Azerbaijan,\r\nBelarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan). It\r\nwill also spare your default Windows directories, Tor browser and Bitcoin wallet.\r\nLoading the key\r\nThe sample comes with a public RSA key shipped in the configuration file (described in the previous section).\r\nBelow – decrypting public key from Base64:\r\nKey is imported using function CryptImportPublicKeyInfo.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 8 of 14\n\nConfiguration mentioned: “rsa_key_size“: 576  – but it turns out to be a 2048 bit key (BLOB size – 276 bytes)\r\nInstallation\r\nA file name of the dropped sample is created in a pretty interesting way. It is not fully random, but based on name\r\nof some file existing in the system, that is searched in the system using a random filter (format: “[random char]*\r\n[random char]. exe”, i.e “p*h.exe”):\r\nThe found file is compared with some built-in blacklist. When it pass the check, it is chosen as the new name of\r\nthe dropped copy of the malware.\r\nIn order to prevent user from finding the malicious file by its creation timestamp it is changed to the timestamp of\r\nkernel32.dll existing on the local system.\r\nAfter the successful installation, the initial malware sample terminates and deploys the dropped copy instead.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 9 of 14\n\nUAC Bypass\r\nCerber uses tricks to bypass Windows User Account Controll (UAC) and deploy itself with elevated privileges. It\r\nis achieved by the following steps:\r\n1. Search an executable in C:Windowssystem32, that can auto elevate it’s privileges.\r\n2. Search in it’s import table a DLL that can be hijacked\r\n3. Copy the DLL into %TEMP% folder and patch it – add a code in a new section and patch entry point in\r\norder to redirect execution there. It will be used in order to run the cerber sample with elevated privileges.\r\nIt uses: WinExec(“[cerber_path] -eval 2524“, SW_SHOWNORMAL)\r\n4. Inject the code into explorer.exe – it is responsible for executing the UAC bypass. Creates a new folder in\r\nC:Windowssystem32 and copy there both files – an EXE and the patched DLL – under original names,\r\nthen it deploys the EXE causing DLL to load and execute the malicious code.\r\n5. When the UAC bypass is executed successfully, it is signalized to the original cerber sample by setting a\r\nproperty cerber_uac_status – added to a Shell_TrayWnd. Then, the original sample deletes dropped files\r\nand exits. Otherwise, it tries the same trick with different pair of EXE + DLL.\r\nSee below how it looks in action:\r\nFirst, it searches an application that can be used to elevate privileges. The check is based on the fields in\r\napplication manifest:\r\ntrue\r\nAmong it’s imported DLLs it searches a candidate suitable to be hijacked. This DLL is copied into %TEMP%\r\nfolder\r\nThen, it creates a suspended process of explorer.exe, allocates memory in it’s context and injects there own code.\r\nDetails given below.\r\nInjection into explorer is performed in several steps. First – malware is coping memory from the context of current\r\nprocess into the context of explorer.exe. Current image of Cerber sample is replicated into a memory allocated in\r\nexplorer at 0x70000. Similarly, the page containing filled data is copied at offset 0x91000 in explorer.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 10 of 14\n\nIn order to run the injected code when the explorer.exe is resumed, malware performs patching of the carrier’s\r\nEntry Point:\r\nNow, Explorer’s execution starts from the call to injected code. It is a function of Cerber sample – at RVA 0x55E1,\r\ncalled with a parameter 0x91000 – pointer to the memory page containing various dynamically loaded data, like\r\nfunction’s handlers, paths of the files to be used, etc. From inside this code injected to explorer, the DLL patched\r\nfor UAC bypass is copied under the original name – along with the appropriate EXE. The executable is deployed\r\n(using ShellExecuteExW) and along with it, the patched DLL also runs.\r\nThe d3d9.dll is used in order to run the Cerber sample with elevated privileges. Entry Point of the DLL is patched\r\nwith a jump to the new section.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 11 of 14\n\nThe new section contains the code that is supposed to execute the Cerber sample:\r\nSuccessful UAC bypass is signalized by setting a property named “cerber_uac_status” in a found window of the\r\nclass “Shell_TrayWnd“. The initial Cerber sample waits for this status to change. If the timeout passed and it\r\ndidn’t changed it makes a new attempt of UAC bypass – using a different pair (EXE+DLL). Otherwise it cleans\r\nup the environment and terminates. Infection proceeds from inside of the elevated sample.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 12 of 14\n\nIn case if UAC level is set to default (or lower), Cerber can bypass it silently. However, in case if it is set to the\r\nhighest, the following alert pops up:\r\nIt keeps reappearing till the user click “Yes”:\r\nConclusion\r\nCerber is a pretty powerful ransomware written with attention to details. This analysis highlighted only some of\r\nthe elements. It has rich customization options and various tricks to make analysis harder. Although this product\r\nappeared recently, for sure its authors are not new in the field of malware development. We can expect it will be\r\ngaining popularity and may carry some new tricks in the future.\r\nAppendix\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 13 of 14\n\nhttp://www.bleepingcomputer.com/forums/t/606583/cerber-ransomware-decrypt-my-files-vbs-txt-html/ –\r\nthread about Cerber on forum Bleeping Computer\r\nhttp://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/" ], "report_names": [ "cerber-ransomware-new-but-mature" ], "threat_actors": [ { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434750, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/256f89f1dac8177b0065ab4949c4f2f732f3cf5e.pdf", "text": "https://archive.orkl.eu/256f89f1dac8177b0065ab4949c4f2f732f3cf5e.txt", "img": "https://archive.orkl.eu/256f89f1dac8177b0065ab4949c4f2f732f3cf5e.jpg" } }