Threat Research

Cerber Ransomware Marks Its Presence in the Wild, Catches up with CryptoWall and Locky

FortiGuard Labs uses the data it gathers from its over 2 million security sensors to keep an eye on trends related to ransomware--one of the areas of greatest concern when it comes to cyber security threats today.

As a result of this effort, we previously talked about Locky’s rapid rise in prevalence in the first two weeks of its appearance. This time, we have observed yet another new ransomware family – Cerber – to be rapidly gaining prevalence in the wild.

We gathered FortiGuard Intrusion Prevention System (IPS) telemetry statistics of widespread ransomware families from April 1, 2016 to May 15, 2016 and collected over 68.5 million hits in total. While a relatively new threat, Cerber appeared to be the 3rd most prevalent ransomware for the first half of Q2 2016:

Figure 1. Distribution of ransomware hits from FortiGuard IPS telemetry

What is Cerber?

Cerber is a new ransomware family that appeared in the middle of Q1 of this year. It is best known as a family of ransomware that reads out its ransom message to the user after it has infected a device. Upon execution, it encrypts files with the file extension “.cerber” and drops a ransomware message in HTML and TXT format:

Figure 2. Folder affected by Cerber ransomware

It then displays the following message to an affected user:

Figure 3. Ransomware displayed by Cerber

To aid in reading out its ransomware message, it uses its dropped VBScript component that contains the following code:

Figure 4. Cerber VBScript component

This routine adds a layer of scare tactic to the ransomware in order to increase the likelihood of a victim paying the ransom.


Cerber appears to have become highly active starting in March of 2016. In fact, we have recently observed that Cerber is also very prevalent in Japan:

Figure 5. Cerber’s activity trend from January 1, 2015 to May 16, 2016

While CryptoWall remains the most dominant threat from our statistics, the daily records for the first half of Q2 2016 shows that Cerber exceeded CryptoWall infections on multiple occasions:

Figure 6. Cerber, CryptoWall and Locky’s daily activity trend from April 1, 2016 to May 15, 2016

Below are the top 10 affected countries with US, Taiwan, and Japan as the top 3 most affected region:

Figure 7. Top 10 countries affected by Cerber for April 1, 2016 to May 15, 2016

A heat map of all affected countries is as follows:

Figure 8. Heatmap of countries affected by Cerber from April 1, 2016 to May 15, 2016

Fortinet’s Response

The antivirus functions of FortiGate, FortiMail, FortiWeb, FortiSandbox, and FortiClient detect and block this malware based on the following signatures and detection results. Fortinet's patented CPRL technology identifies the malicious behavior typical of malware, making it possible for it to detect and block unknown malware variants which use code defined in general CPRL signatures such as W32/Generic and W32/Kryptik.

FortiGate's application control function can also detect and block the Botnet protocol used by Cerber activity via the Cerber.Botnet signature.

Fortinet recommends that organizations use defense in depth protection, and not just enable antivirus functions alone, to protect their systems from advanced attacks using a variety of vectors for infection, spreading, and control.

In addition to gateway protection, end point security such as FortiClient is critical in protecting against infection via encrypted transmissions and infected USB memory sticks. Internal segment firewall (ISFW) and web filterfunctions are also important to prevent and contain infection activity within systems and C&C transmissions with outside systems.

Kenichi Terashita and the FortiGuard Lion Team


Added files:
%Desktop%# DECRYPT MY FILES #.html
%Desktop%# DECRYPT MY FILES #.txt
%Desktop%# DECRYPT MY FILES #.vbs
{Affected folder}# DECRYPT MY FILES #.html
{Affected folder}# DECRYPT MY FILES #.vbs
{Affected folder}# DECRYPT MY FILES #.txt
{Affected folder}{random characters}.cerber

Added registries:
HKEY_CURRENT_USERControl PanelDesktop
SCRNSAVE.EXE = "%AppData%{GUID}{random}.exe"

HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor
AutoRun = "%AppData%{GUID}{random}.exe"

Run = "%AppData%{GUID}{random}.exe"

{random} = "%AppData%{GUID}{random}.exe"

{random} = "%AppData%{GUID}{random}.exe"

Join the Discussion