Cerber is a ransomware-as-a-service family active from 2016 to 2018 that became one of the most prevalent ransomware strains during that period, distributed through exploit kits, malspam, and the RIG and Magnitude EKs. It uses RSA-2048 plus RC4 encryption and is notable for its audio ransom note that reads the demand aloud. Cerber operators rapidly iterated through multiple versions to evade detection and decryption tools.
This family has been observed using the following ATT&CK techniques: T1486 T1490 T1083
Cerber is a ransomware-as-a-service family active from 2016 to 2018 that became one of the most prevalent ransomware strains during that period, distributed through exploit kits, malspam, and the RIG and Magnitude EKs. It uses RSA-2048 plus RC4 encryption and is notable for its audio ransom note that reads the demand aloud. Cerber operators rapidly iterated through multiple versions to evade detection and decryption tools.
Cerber spreads through exploit kits like RIG and Magnitude, malicious email attachments, and as a secondary payload from other loaders.
Files renamed with .cerber, .cerber2, or .cerber3 extensions, ransom notes named _README_.hta, and a synthesized voice ransom message are signature indicators.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/cerber.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.