cerbersyslock

Also known as: cerbersyslock

CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceive victims. It uses XOR-based encryption to lock files and appends extensions such as .CerBerSysLocked0009881. Victims receive a ransom note titled “HOW TO DECRYPT FILES.txt”, which falsely claims to be from the Cerber ransomware. The note includes an email contact—TerraBytefiles@scryptmail.com—and instructs victims to reference their ID (e.g., “CerBerSysLocked0009881”) when communicating. The ransomware is technically linked to the Xorist family and is generally considered an opportunistic, low-profile scam rather than part of a broader Ransomware-as-a-Service (RaaS) operation.

Introduction

CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceive victims. It uses XOR-based encryption to lock files and appends extensions such as .CerBerSysLocked0009881. Victims receive a ransom note titled “HOW TO DECRYPT FILES.txt”, which falsely claims to be from the Cerber ransomware. The note includes an email contact—TerraBytefiles@scryptmail.com—and instructs victims to reference their ID (e.g., “CerBerSysLocked0009881”) when communicating. The ransomware is technically linked to the Xorist family and is generally considered an opportunistic, low-profile scam rather than part of a broader Ransomware-as-a-Service (RaaS) operation.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Cerberus RAT:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.