C3Rb3R

Description

Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.

External Analysis
https://www.sentinelone.com/blog/c3rb3r-ransomware-ongoing-exploitation-of-cve-2023-22518-targets-unpatched-confluence-servers/
https://threats.wiz.io/all-tools/c3rb3r-ransomware
https://www.bleepingcomputer.com/news/security/paraguay-warns-of-black-hunt-ransomware-attacks-after-tigo-business-breach/
Urls
Screen
File servers
Screen
Chat servers
Screen
http://j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad.onion/
Screen
http://c3rb3rnow2alp26exjwlrs7puvftcxqywmpqedlierashbqikyxgg3qd.onion
Screen
Admin servers
Screen