Skip to main content
Skip to main content
Microsoft Security

MSRT July 2016: Cerber ransomware

  • Microsoft Defender Security Research Team

(Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene.)


As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features.

We started seeing Cerber in February 2016, and since then it has continuously evolved and is now one of the most encountered ransomware families – beating both Exxroute and Locky. The evolution is mostly based around the way in which Cerber is being distributed – with a focus on exploit kits, compromised websites, and email distribution.

When looking at data for the past 30 days, Cerber is the most detected ransomware, taking over a quarter of all ransomware infections.

Ransomware family Share
Cerber 25.97%
Exxroute 15.39%
Locky 12.80%
Brolo 11.66%
Crowti 9.97%
FakeBsod 9.19%
Teerac 3.94%
Critroni 3.72%
Reveton 2.86%
Troldesh 1.21%
Ranscrape 1.18%
Sarento 0.76%
Urausy 0.70%
Genasom 0.65%


Cerber is especially prevalent in the US, Asia, and Western Europe.

However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines:
Map showing highlighted areas in Eastern US, Western Europe, Asia, South America


Cerber infection chain

Cerber can enter your system or PC either through downloaders from spam email or exploits on malicious or compromised sites.

Diagram showing spam email using macro and scripts to install cerber onto a PC

When delivered via spam, we’ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where’s the macro?“, and we’ve previously talked about how macros have been used to deliver malware (although new features in Office 2016 has seen a decrease in macro-based malware).

In this case, we’ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We’ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.

The other infection vector – exploit kits – occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.

Neutrino, Angler, and Magnitude exploit kits have been identified as distributing Cerber.


Cerber updates

As with most other encryption ransomware, Cerber encrypts files and places “recovery” instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.

Cerber, however, also includes a synthesized audio message.

We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware“.


Screencap showing a long note explaining how a user was infectedThere have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.

Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don’t mention the payment of fees or ransom to decrypt your files.

Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:

Note showing that Cerber is request bitcoin payment to decrypt files


The Cerber desktop wallpaper has also been updated:

Grey wallpaper with a few lines of black text showing links to decrypt files



To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Download and apply security patches associated with the exploit kits that are known to distribute this ransomware (for example: Neutrino).
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)



In the Office 365 blog “How to deal with ransomware“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:


Carmen Liang and Patrick Estavillo



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.