{
  "family": "cerber",
  "sample_count": 1792,
  "category": "ransomware",
  "description": "Cerber is a ransomware-as-a-service family active from 2016 to 2018 that became one of the most prevalent ransomware strains during that period, distributed through exploit kits, malspam, and the RIG and Magnitude EKs. It uses RSA-2048 plus RC4 encryption and is notable for its audio ransom note that reads the demand aloud. Cerber operators rapidly iterated through multiple versions to evade detection and decryption tools.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Cerber?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Cerber is a ransomware-as-a-service family active from 2016 to 2018 that became one of the most prevalent ransomware strains during that period, distributed through exploit kits, malspam, and the RIG and Magnitude EKs. It uses RSA-2048 plus RC4 encryption and is notable for its audio ransom note that reads the demand aloud. Cerber operators rapidly iterated through multiple versions to evade detection and decryption tools."
      }
    },
    {
      "@type": "Question",
      "name": "How does Cerber spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Cerber spreads through exploit kits like RIG and Magnitude, malicious email attachments, and as a secondary payload from other loaders."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Cerber infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Files renamed with .cerber, .cerber2, or .cerber3 extensions, ransom notes named _README_.hta, and a synthesized voice ransom message are signature indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Cerber on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1486",
    "T1490",
    "T1083"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}