Barkly vs Malware
Barkly Research
Mar 2017

Stopping Cerber Ransomware During Runtime

Cerber is one of the most prolific strains of ransomware, and it's been recently updated to target businesses, specifically. See how Barkly prevents Cerber from encrypting files by stopping it during runtime.

Cerber Ransomware Overview

Since its first appearance in February 2016, Cerber has become one of the most active ransomware families. Its growth has been partially driven by its launch as a ransomware-as-a-service (RaaS) operation. Rather than distributing Cerber solely on their own, the developers behind the ransomware allow any would-be criminal to use it in exchange for a portion of the ransom profits.

For more details on the rise and evolution of Cerber, along with the latest attack statistics, see our post Cerber Ransomware: Everything You Need to Know.

Quick Facts

  • Cerber has been observed encrypting victim files using RSA, RC4, and AES encryption. Unfortunately, there is currently no decryption tool for Cerber available.
  • Cerber replaces encrypted file names with encrypted versions that have a random four character extension.
  • Cerber infections leave behind a README.hta ransom note file.
  • In addition to encrypting local files, Cerber has the ability to scan for and encrypt unmapped network shares.
  • Cerber can also kill running database processes in order to successfully encrypt database files.
  • Like other ransomware, Cerber deletes Shadow Volume Copies to make recovering encrypted data more difficult.
  • Some versions of Cerber do not need an active internet connection to encrypt victim files.

How Cerber is Being Delivered

Cerber has primarily been distributed via phishing campaigns, which deliver the ransomware via macro-based downloaders hidden in Microsoft Office docs, and via exploit kits, which utilize zero-day vulnerabilities in programs like Flash.

Stopping Cerber with Barkly's Runtime Malware Defense

Barkly utilizes runtime malware defense (RMD) to stop Cerber ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Cerber is attempting to gain execution by suspicious means.

In this example, Barkly blocked Cerber as it was performing entry point modifcation, a tactic malware uses to hollow into another process to avoid detection. As a result, Barkly was able to stop Cerber at the earliest stage of the attack, before it could do any harm.

Why blocking malware during runtime matters

By detecting and blocking malicious behaviors like process injection in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.

That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.

Learn more about how RMD works here.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.