Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Cerber Ransomware: What You Need to Know

Cerber ransomware is a ransomware-as-a-service (RaaS) application that attacks your files by encrypting your important documents and database files. Learn how to protect your files from and keep your data safe.
Michael Buckbee
2 min read
Published June 17, 2020
Last updated April 4, 2022

What is Cerber?

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker licenses Cerber ransomware over the internet and splits the ransom with the developer. For a 40% cut of the ransom, you can sign-up as a Cerber affiliate and deliver all the Cerber ransomware you want. Most ransomware doesn’t use this service paradigm. Typically, an attacker would adapt and deliver the ransomware and keep all of the money. By setting up Cerber as RaaS the developer and partner are able to send more attacks with less work.

Cerber is an example of evolved ransomware technology. The author of the ransomware offloads the work of finding targets and infecting systems to a partner in exchange for a cut of the profit. The partner gets a highly functional piece of software they are free to distribute, and bitcoin keeps the exchanges all anonymous and difficult to track.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

How Do You Recognize Cerber Ransomware?

If the screenshot looks like your desktop wallpaper, you’ve been infected with the Cerber ransomware.

How Do You Recognize Cerber Ransomware?

Of course, if you do see that screen, it might be too late to save your files. You can try to pay the ransom and hope they send you the decryption key, but many people don’t. Cerber and ransomware are things that fall under the “ounce of protection equals a pound of cure” paradigm. Your best bet is to avoid infection in the first place.

How Do You Remove Cerber Ransomware?

The best and most complete option to remove Cerber ransomware is to rebuild your operating system from a backup. If you have a recent backup, you’ll also be able to recover your encrypted files. As Ripley said, “Nuke it from orbit, it’s the only way to be sure.”

Current Anti-Virus programs can detect most ransomware including Cerber, and prevent it from running. Once Ransomware has started to encrypt your files, take the affected computer offline to prevent it from spreading to other computers or network drives.

One of Cerber’s particulalry nasty tricks is that it’s easy to wrap inside other delivery mechanisms. For example, you could download a rootkit that can disable your Anti-Virus before it downloads and activates Cerber. After an infection, you can remove the Cerber ransomware, but that doesn’t necessarily mean you removed the malware that delivered the ransomware to your computer.

No matter what you do with the ransomware itself, you aren’t going to be able to get the files decrypted. Cerber uses RSA encryption, and it’s not feasible to crack that encryption in a timely manner – even for the most sophisticated computer. Hopefully, you have a good recent backup of your important documents.

How Do You Prevent Cerber Ransomware?

Cyberthieves distribute ransomware by phishing email or infected websites. The best way to prevent Cerber (or any ransomware) attacks is by practicing good cybersecurity. Here are a few tips:

  • Don’t get phished.
  • Keep your Anti-Virus software updated.
  • Backup your documents regularly.

Varonis DatAlert provides immediate response to limit ransomware attacks in progress that threaten your most important data.

Six Cerber Ransomware Statistics

cerber ransomware statistics

  • At its peak in early 2017, Cerber accounted for 26% of all ransomware infections.
  • In July 2016, about 150,000 windows users were infected by Cerber through 161 identified campaigns.
  • Cerber generated $2.3 million (estimated for attackers in 2016).
  • Cerber developers released updates almost weekly, which kept the ransomware out in the world for longer than usual.
  • In the first half of 2018, ransomware infections have dropped by 42% and 50% for businesses and consumers, respectively.
  • There have been 0 reported Cerber ransomware attacks in 2018 as attackers move to newer ransomware like GandCrab, SamSam, and Spartacus.

Get a 1:1 demo to learn how to set up alerts to trigger on known ransomware variants like Cerber, recognize ransomware activity, and stop cyberattacks before it’s too late.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

why-did-last-friday's-ransomware-infection-spread-globally-so-fast?
Why did last Friday's ransomware infection spread globally so fast?
Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the...
samas,-cerber,-surprise:-three-new-ransomware-variants-to-have-on-your-radar
Samas, Cerber, Surprise: Three New Ransomware Variants to Have On Your Radar
As of late, the weekly press coverage of ransomware has been building a kind of brand recognition that’s the envy of many legitimate IT vendors. Ransomware’s own success has made...
a-queen’s-ransom:-varonis-uncovers-fast-spreading-“savethequeen”-ransomware
A Queen’s Ransom: Varonis Uncovers Fast-Spreading “SaveTheQueen” Ransomware
A new strain of ransomware encrypts files and appends them with the extension, “.SaveTheQueen,” and propagates using the SYSVOL share on Active Directory Domain Controllers. Our customers encountered this malware...
threat-update-43-–-ransomware-early-warning:-brute-force
Threat Update 43 – Ransomware Early Warning: Brute Force
With the proliferation of more sophisticated, human-operated ransomware, attackers can live inside an organization for days, weeks, or months - finding and exfiltrating data before making their presence known by detonating ransomware.