Threats 101
Barkly Research
Mar 2017

Cerber Ransomware: Everything You Need to Know

Of all the new ransomware strains that burst onto the scene in 2016, Cerber stands out in several notable ways...


Not only has it introduced several innovations on the technical side (adding the ability to work offline, to kill and encrypt databases, etc.), it has also become one of the most prominent early drivers of ransomware-as-a-service (RaaS).  

Instead of distributing Cerber solely themselves, the developers behind the ransomware have made it available to any would-be criminal willing to part with a portion of the profits. 

Thanks in part to this “affiliate program” Cerber has gained widespread distribution, becoming one of the most prolific ransomware families. Let's look at some of the stats behind its rise.

Cerber Ransomware Statistics


150,000 Windows users were infected in July 2016 alone

During the month of July researchers at Check Point tracked a total of 161 active Cerber ransomware campaigns delivered via exploit kits which successfully infected roughly 150,000 users worldwide.

cerber exploit kit infections map.jpg

Source: Check Point

Cerber is estimated to generate $2.3 million a year

Check Point researchers also estimated Cerber netted attackers roughly $195,000 in July of 2016, putting it on track to be a $2.3 million-dollar annual source of income for criminals to pocket or fund more attacks.

For a 40% cut of the profits, anyone can deploy Cerber

Cerber’s ransomware-as-a-service model allows “affiliates” to distribute the Cerber ransomware software in exchange for 40% of each ransom amount paid.

cerber ransomware as a service.jpg

Source: Check Point

Cerber accounted for 1/4 of ransomware activity in late December 2016 and early January 2017

That placed it ahead of Locky (the most active ransomware of 2016) and all other ransomware strains in terms of infections. It should be noted, however, that timeframe also corresponds with the temporary disappearance of the Necurs botnet — one of the primary drivers of Locky distribution).

cerber ransomware stats.png

Source: Microsoft

New updates for Cerber have been released every 8.4 days on average

According to this report on ransomware events from David Balaban at Privacy PC Cerber developers have been able to ship updates to the ransomware that adds new features and help it evade detection nearly once every week. 


Cerber Ransomware FAQ


How do you get infected with Cerber ransomware?

As with most ransomware, the most common attack vectors are phishing emails and exploit kits. It's been popular for attackers to leverage infected Microsoft Office docs that utilize macros, but the truth is new delivery methods are being developed all the time. 

For an in-depth breakdown of how ransomware is typically delivered, see our Complete Guide to Ransomware

How does Cerber encrypt files and spread?

Cerber utilizes RC4 and RSA algorithms for file encryption. 

Earlier version of Cerber renamed encrypted files with a .cerber extension. Newer versions now add a random file extension.

Cerber also sports several novel features:


Is it possible to decrypt files encrypted by Cerber?

Unfortunately, while decryption tools were temporarily available for previous versions of Cerber, none currently exist for the most recent versions. Recovery options are limited to restoring from backup.


Preventing Cerber Infections

Because no decryption tool exists — and because putting the fate of your files (and possibly your job) solely in the hands of backup isn’t exactly the most thrilling prospect — the best way to protect your organization from Cerber ransomware is to:

  1. Prevent it from landing on machines in the first place (train your employees how to spot phishing emails and not to open email attachments if something feels off)
  2. Stop it at runtime like Barkly does in the video below:


Barkly’s runtime malware defense (RMD) serves as a last line of protection that blocks Cerber and other ransomware attacks even if a user accidentally initiates them. 

Learn more about how it works here.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.