Cerber2021 Ransomware Back in Action

Sophisticated Ransomware targeting Windows and Linux Users

Zero-day exploits or recently patched/unpatched vulnerabilities are attractive targets for Threat Actors (TAs) to deploy malware efficiently. TAs leverages these vulnerabilities and exploits them to deliver the various types of malware to steal sensitive information for financial gain.

On June 11th, 2022, Microsoft tweeted a post where they mentioned that CVE-2022-26134 was being exploited to download and deploy the Cerber2021 ransomware (also known as “CerberImposter”).

TAs could exploit this Object-Graph Navigation Language (OGNL) injection vulnerability to take control of vulnerable servers. If it is successfully exploited, the vulnerability allows unauthenticated attackers to take control of unpatched servers remotely by creating new admin accounts and running arbitrary code on a Confluence server to deliver Cerber2021 ransomware.

Figure 1 – Microsoft’s Tweet about Cerber2021 Ransomware

Cerber is Ransomware-as-a-Service (RaaS), identified in the year 2016. In 2017, Cerber ransomware accounted for 26% of total ransomware infections. In 2018, the TAs belonging to Cerber moved to build other ransomware such as GandCrab, SamSam, and Spartacus.

In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively.

Technical Analysis

The sample hash (SHA256), f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf  was taken for this analysis. Based on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as shown in below figure.

Figure 2 – File details of Cerber2021 ransomware EXE

Upon execution, the malware checks for the presence of three mutex strings, as shown in Figure 3. The malware terminates its execution if it identifies any of the mutex strings already present in the users’ machine. This mutex validation is implemented in the ransomware binary to avoid reinfecting the machine.

Figure 3 – Mutex check with any of the String names

We found that strings in the binary file, such as “cryptographic algorithms, are disabled after a power-up self-test fails.” This indicates that the malware uses the freely available Crypto++ Library functions for encryption. The below figure shows the Crypto++ library function strings.

Figure 4 – Crypto++ Library strings

After infiltrating the victim’s computer, the ransomware checks the system drive from “C:\” to “Z:\” in the victim’s machine and encrypts files present in the identified drives. Cerber2021 ransomware targets files with the extensions mentioned in the below figure.

Figure 5 – List of File Extensions encrypted by Cerber2021 Ransomware

After encryption, the ransomware appends .locked extensions to the encrypted file name in the victim’s machine. The below figure shows the files encrypted by the ransomware.

Figure 6 – Encrypted files in Victim’s Windows machine (extension – .locked)

After encrypting the files, the malware generates the Tor Onion URL link by appending a dynamically generated key at the end, as shown below.

Figure 7 – Tor payment site URL

Finally, the ransom note named __$$RECOVERY_README$$__.html is shown to the victims. In the ransom note, the TAs instruct victims to contact them through their TOR website. Additionally, the TAs threaten to disclose the information about the victim’s private data on public news and websites if they do not contact them within 30 days after the ransomware attack. The below figure shows the ransom note.

Figure 8 – Ransom note

The decryption software service is available through the TOR link mentioned in the __$$RECOVERY_README$$__.html page. It requires a payment of 0.068 Bitcoins (~ USD 21,000) in 5 days; otherwise, the software price will be doubled, as shown in the figure below.

Figure 9 – Ransomware payment page

To delete the ransomware file after infection, it uses the ShellExecyteA() API function with the arguments shown below. This will remove the malware file from the system, leaving only the encrypted files and the ransom note behind.

Figure 10 –  Self-delete using ShellExecuteA function

Linux Variant

The sample hash (SHA256), 46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb  was taken for this analysis. Based on static analysis, we found that the malicious file is a 64-bit UPX-packed ELF binary as shown in below figure.

Figure 11 – File details of Cerber2021 ransomware ELF

The ransomware functionalities present in the Linux version are similar to the Windows version. It targets the same file extensions to encrypt the files and shares a similar payment method. The below figure shows the encrypted files on a Linux machine.

Figure 12 – Encrypted files in Victim’s Linux machine (extension – .locked)

Cerber vs. Cerber2021

  • Cerber2021 ransomware uses different code than the older Cerber variants in 2016.
  • The new ransomware can encrypt files in both Windows and Linux machines, whereas the older version solely affects Windows systems.
  • The latest variant uses the Crypto++ library for its encryption. The older version of Cerber uses Windows CryptoAPI libraries.
  • Cerber2021 borrowed its name and copied the Tor payment sites and ransom notes from the older Cerber ransomware.


Ransomware is becoming an increasingly common and effective attack method that affects organizations and their productivity. TAs exploit recently patched/unpatched vulnerabilities to deliver ransomware such as Cerber2021. Currently, the best method to secure yourself and your organization against Cerber2021 is by applying the security updates released by the Atlassian Confluence to stay protected.

Many servers are patched; however, we can expect the TAs to target other vulnerabilities to breach servers and deploy their malware. Cyble Research Labs closely monitors the Cerber Ransomware group and other similar TA activities and analyzes them to better understand their motivations.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts And Cruciality of Cerber2021 Ransomware

  • Loss of Valuable data.
  • Loss of organization’s reliability or integrity.
  • Loss of organization’s business information.
  • Disruption in organization operation.
  • Economic loss.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204User Execution
Discovery    T1082
System Information Discovery
File and Directory Discovery
​Inhibit System Recovery
Data Encrypted for Impact
Defense EvasionT1070Indicator Removal on Host

Indicators Of Compromise

File name
MD5 SHA1 Sha256x32 EXE binary
MD5 SHA1 Sha256UPX packed
x64 ELF binary
MD5 SHA1 Sha256Unpacked x64 ELF
URLTor site link
Scroll to Top