Cerber

Category: ransomware · Aliases: Cerber · Sample count (EMBER 2018): 1,792 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Cerber is ransomware that uses a ransomware-as-a-service (RaaS) model, where affiliates purchase and spread the malware and pay commissions to its developers. Per Malwarebytes, it uses strong encryption with no free decryptors available, may run silently during encryption, and may disable antivirus programs and system restoration to pressure victims into paying. It has been distributed through bundled software, email, and website vulnerabilities.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1490 T1566.001 T1204.002 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_CERBER {
    meta:
        description = "Detects Cerber (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "cerber" ascii wide nocase
        $s2 = "cerber" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Cerber Activity
id: 441670292af86e88473190e22f807d27
status: experimental
description: Detects generic indicators of the cerber malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*cerber*"
            - "*cerber*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Cerber?

A ransomware-as-a-service family that encrypts files with strong cryptography and demands payment.

How is Cerber sold and spread?

Through a RaaS model: affiliates buy and distribute it and pay commissions to the developers; distribution methods include bundled software, email, and website/software vulnerabilities.

Is there a free Cerber decryptor?

Per Malwarebytes, Cerber uses strong encryption and there are no free decryptors available.

How does Cerber avoid detection?

It may run silently during encryption and attempt to disable antivirus programs and system-restore features.

How can I protect against Cerber?

Avoid suspicious downloads and attachments, keep software patched, use reputable security software, and keep tested offline backups.

Where can I read an authoritative source on Cerber?

Malwarebytes maintains a Ransom.Cerber detection page, linked on this page.

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/cerber.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.