Cerber
Cerber is a ransomware family and early ransomware-as-a-service (RaaS) operation active since at least 2016. Multiple sources in the content describe Cerber as a partnerka/RaaS platform operated by the actor "crbr," which distributed Cerber builds to affiliates in exchange for a share of ransom revenue. Affiliates were reported to spread Cerber through vectors including spam and malvertising, and Cerber was also delivered by the Magnitude exploit kit. Magnitude later replaced Cerber with Magniber in 2017.
The malware is primarily associated with file encryption and ransom-note delivery. Older Cerber variants are described as using the extension ".locked" and HTML ransom notes such as "$$RECOVERYREDME$$.html." Newer activity observed in late 2023 used the extension ".L0CK3D" and dropped text ransom notes named "read-me3.txt." Trend Micro identified the 2023 samples as Cerber based on strong similarity to older Cerber payment-site content and interface text, despite these note and extension differences.
Cerber has been observed using blockchain-related infrastructure in some versions. The content states that Cerber versions 4.1.0 and later used BlockCypher over HTTP to retrieve Bitcoin-address transaction information via api.blockcypher.com. This is explicitly contrasted with a separate .NET downloader that used Ethereum transaction data and was only noted as analogous to Cerber’s BlockCypher usage.
Recent reporting in the content links Cerber to exploitation of Atlassian Confluence vulnerability CVE-2023-22518. Trend Micro reported attackers exploiting this improper-authorization flaw in Confluence Data Center and Server to gain access, execute an encoded PowerShell downloader, retrieve and decrypt the payload, and encrypt files with the ".L0CK3D" extension while dropping "read-me3.txt" ransom notes. The same reporting also observed Linux bash scripts, including "bapo.sh," used to deploy a Linux Cerber variant. Separate reporting from Cado Security Labs describes a Linux Cerber variant also referred to as C3RB3R: attackers exploited CVE-2023-22518 to reset Confluence and create a new administrator account, deployed the Effluence web shell plugin for command execution, then staged heavily obfuscated UPX-packed 64-bit ELF Cerber payloads. Those payloads acted as a stager, attempted to create /var/lock/0init-ld.lo, contacted 45.145.6.112 to fetch additional components, logged to /tmp/log.0 and /tmp/log.1, searched for encryptable directories, dropped ransom notes, and encrypted files with the ".L0CK3D" extension. In default Confluence deployments, impact may be limited to files owned by the low-privilege "confluence" user, though the Confluence datastore can still be encrypted.
The content also mentions infrastructure associations: IP 194.165.16[.]80 was described as a repurposed Cobalt Strike C2 that also had recent Cerber ransomware samples as late as October 2023, and 194.165.16[.]64 and 194.165.16[.]92 were likewise reported as having been used by Cerber ransomware. More broadly, Cerber is repeatedly cited as a prominent ransomware family in historical reporting, including botnet-controller and ransomware trend analyses from 2016 and 2017.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Google TAG Team discovered CVE-2019–1367 exploited in the wild by a threat actor... CVE-2019–1367 enables Remote Code Execution (RCE) in the context of Internet Explorer in all version from 8, 9, 10 and 11 due to a memory corruption in jscript.dll... Microsoft released a patch and encouraged users to disable jscript.dll.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates... These affiliates then spread Cerber themselves through vectors like spam or malvertising...
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Command and Control
2 techniques
Command and Control
This function used the public Ethereum API of “blockcypher.com” in order to get the last Transaction ID related of the hardcoded Ethereum address... The “blockcypher.com” Ethereum API is used again to retrieve the transaction information and the malicious URL is extracted from the JSON “script” field. | As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions.
Impact
1 technique
Impact
While WannaCry might be seen as a failed operation from a financial perspective for the attackers ... the epidemic has raised the profile of ransomware; both to the general public and likely for the cybercriminal fraternity as well. Ransomware has already experienced great success ... because it simply works. People will pay ransom demands to get their encrypted files back.
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family mentioned as one of the payloads delivered by Magnitude Exploit Kit.
A ransomware-as-a-service platform cited as an early pioneer of the RaaS model.
Ransomware family referenced as an example of recognized ransomware strains.
Linux-targeting Cerber ransomware deployed on vulnerable Atlassian Confluence servers via CVE-2023-22518. Uses obfuscated C++ ELF payloads packed with UPX; acts as a stager to download additional components from a C2, then encrypts files and drops ransom notes, appending the .L0CK3D extension.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.