Cerber is ransomware that uses a ransomware-as-a-service (RaaS) model, where affiliates purchase and spread the malware and pay commissions to its developers. Per Malwarebytes, it uses strong encryption with no free decryptors available, may run silently during encryption, and may disable antivirus programs and system restoration to pressure victims into paying. It has been distributed through bundled software, email, and website vulnerabilities.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1486 T1490 T1566.001 T1204.002 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_CERBER {
meta:
description = "Detects Cerber (ransomware)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "cerber" ascii wide nocase
$s2 = "cerber" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Cerber Activity
id: 441670292af86e88473190e22f807d27
status: experimental
description: Detects generic indicators of the cerber malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*cerber*"
- "*cerber*"
condition: selection
level: mediumA ransomware-as-a-service family that encrypts files with strong cryptography and demands payment.
Through a RaaS model: affiliates buy and distribute it and pay commissions to the developers; distribution methods include bundled software, email, and website/software vulnerabilities.
Per Malwarebytes, Cerber uses strong encryption and there are no free decryptors available.
It may run silently during encryption and attempt to disable antivirus programs and system-restore features.
Avoid suspicious downloads and attachments, keep software patched, use reputable security software, and keep tested offline backups.
Malwarebytes maintains a Ransom.Cerber detection page, linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/cerber.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.