Types header





Encryption Type

AES-256 encryption

Short Description

Encrypts the file name and appends it with .cerber; drops a

.vbs file that makes the computer speak to the victim


 The cerber ransomware changes the desktop background, once the files are encrypted.

Distribution Method

Trojan Horse, Email attachment




More Details

The cerber enters into the victim’s device through Trojan horse virus, email attachment. Once inside the victim’s system the ransomware starts to scan the device and makes a compiling list of most accessed files. This is capable of attacking both hard drive and removable flash drives, so never plug in any removable disk when your system is corrupted. The encryption process is done via public key and a private key. Without internet connection these process cannot be done, this means that offline computers are safe from this impact, the system will be dormant until it is connected to the remote server.

During encryption the ransomware will scan the victim’s drive some of their extension are as given below.



The major thing in cerber is that it will create 3 ransom note on the victim desktop and they will be named as Decrypte my files.html. when this is clicked on a tor link is opened.


This is the ransom note provided by the attacker in the vitim’s desktop

The major difference in this cerber is that one of the note is bit special , it contains a .vbs file that will cause the victim’s computer to speak with them


This is the vbs script that interacts with the victim.


Regarding the decryptor

This page has 12 languages once the language is selected the note is given for how to make the payment, if the ransom is not paid within 7days then the ransom value is doubled. Once the victim pays the ransom then the files are decrypted and given back to them.