c3rb3r

Also known as: c3rb3r

Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.

Introduction

Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.