{"id":53212,"date":"2016-10-20T14:54:41","date_gmt":"2016-10-20T21:54:41","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=53212"},"modified":"2025-06-08T18:09:53","modified_gmt":"2025-06-09T01:09:53","slug":"unfolding-the-mystery-of-cerber-ransomwares-random-file-extension","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/","title":{"rendered":"Unfolding the Mystery of Cerber Ransomware’s Random File Extension"},"content":{"rendered":"

This blog post was written by Sudhanshu Dubey.<\/em><\/p>\n

In an earlier blog,<\/a> we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, not 4, because this version does not follow Cerber\u2019s usual encryption extension prototype, .cerberN, and instead uses a random extension.)\u00a0In this post, we will dig into this new version and will uncover the mystery behind the random extension.<\/p>\n

Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and it also takes advantage of exploit kits such as Angler, Nuclear, and others.<\/p>\n

\"CERBER<\/p>\n

Machine infected with Cerber X.<\/p>\n

Extensions of files encrypted by Cerber Versions 2, 3, and X:<\/p>\n

\"Cerber<\/p>\n

Analysis of Cerber X<\/strong><\/h2>\n

In contrast to Version 2, Cerber X uses the Nullsoft Scriptable Install System (NSIS) to hide itself. The installer contains the encrypted Cerber executable (.ch) and a shellcode file (.caz) that contains code to decrypt the Cerber file. A component of NSIS follows:<\/p>\n

\"Components<\/strong><\/p>\n

The file .ch is the encrypted Cerber file. The first DWORD of the file is the file size of the Cerber core file followed by encrypted data. A snippet of the encrypted core file follows:<\/p>\n

\"Encrypted<\/p>\n

The file .caz contains shellcode used to decrypt itself as well as the encrypted Cerber file (.ch) and execute it. A snippet of the shellcode file:\"Shell<\/strong><\/p>\n

Configuration file of Cerber 2 versus X<\/strong><\/h2>\n

We observed few changes in the configuration files of Versions 2, 3, and X. They are related in Base64 encoding, self-deletion, encryption message file, and other elements. Here are some of the changes.<\/p>\n

    \n
  • Base64 encoding:\u00a0<\/strong>In Version 2, the configuration file has all contents in plaintext format. Version X has some fields encoded with Base64-like encryption messages. This change might be used to reduce the in-memory detection of the file because encryption messages have many suspicious strings that help analysts catch the malware in memory. So this will reduce the time suspicious strings spend in memory.<\/li>\n
  • Encryption message file: <\/strong>In contrast to previous versions in which Cerber drops files such as # DECRYPT MY FILES .htm#, this version drops only one,\u00a0README.hta (an HTML application) file. Similar to its predecessors, the name and content of the message file are kept in the configuration file but with Base64 encoding.<\/li>\n
  • bytes_skip tag:<\/strong> Skips a number of bytes from the start of file during encryption.<\/li>\n
  • self_deleting tag:<\/strong> Deletes itself after encryption.<\/li>\n
  • remove_shadows tag:<\/strong> Removes shadow copy backups.<\/li>\n<\/ul>\n

    How Cerber gets its random extension<\/strong><\/h2>\n

    This version has unique behavior from its predecessors. It does not follow the .cerberN (where N is a number) extension rule but rather uses system information to get an encrypted file extension. This version also has different component filenames and locations that are also derived using system information.<\/p>\n

    Cerber X uses the following registry entry to get its component filename and extension for an encrypted file.<\/p>\n

      \n
    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid<\/li>\n<\/ul>\n

      MachineGuid has the following format:<\/p>\n

        \n
      • XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX<\/li>\n<\/ul>\n

        This code snippet shows Cerber accessing the preceding registry key:<\/p>\n

        \"Reading<\/p>\n

        Cerber X tokenizes the Guid using a hyphen and other elements:<\/p>\n

          \n
        • Part 1 <\/strong>(8 characters): Used as a folder name for the Cerber component in %TEMP% directory.<\/li>\n
        • Part 2, Part 3 <\/strong>(4 characters each): Used as filenames for Cerber’s\u00a0component files.<\/li>\n
        • Part 4 <\/strong>(4 characters): Used as the extension of the encrypted file.<\/li>\n<\/ul>\n

          So the mystery behind the random extensions is MachineGUID, whose fourth token becomes the extension for the encrypted file. We can use this behavior of getting file and folder names from MachineGUID as a heuristic detection for Cerber X because only after dropping the components does the malware start its encryption process. Thus if we could detect this behavior of using MachineGUID, we could prevent the encryption of a victim\u2019s files.<\/p>\n

          Network communications<\/strong><\/h2>\n

          Network communications are basically similar in all versions. But this version has some minor changes in gathering data to send. Server information is kept in configuration file:<\/p>\n

          \"Servers<\/strong><\/p>\n

          Cerber uses the sendto API to send info to the IP address mentioned in the server tag of the configuration file. The initial information sent to server is 9 bytes, and the data prototype is stored in the knock tag of configuration file with Base64 encoding. The format of data:<\/p>\n

            \n
          • hi{PARTNER_ID}<\/li>\n<\/ul>\n

            PARTNER_ID is generated at runtime. In this version the method to get it is different. PARTNER_ID, which is 7 characters long, is generated in two parts. The first part has 5 characters and second part has 2. In Version 2, the first part is generated with the help of a checksum of the file; in Version X it is taken from a hardcoded address in the .data section of the file.<\/p>\n

            Code snippets from both versions:<\/p>\n

            \"PARTNER_ID<\/strong>Anti-VM blooper<\/strong><\/h2>\n

            As we mentioned in our previous blog, irrespective of the version Cerber is one of the most comprehensive malware. Cerber exhibits anti\u2013virtual machine techniques that detect popular VMs including Parallel, QEMU, VMware, and VBox. While analyzing we observed a curious thing: In one of the anti-VM techniques, Cerber accesses the following registry key:<\/p>\n

              \n
            • HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion<\/li>\n<\/ul>\n

              After accessing the key, it tries to locate the substring \u201cWMWare\u201d instead of \u201cVMWare\u201d in the value, as shown:<\/p>\n

              \"Comparing<\/p>\n

              Looks like even ransomware developers have trouble with typos.<\/p>\n

              McAfee products detect Cerber as NSIS\/Ransom-Cerber.a<\/p>\n","protected":false},"excerpt":{"rendered":"

              This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber…<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180,4549],"coauthors":[4136],"class_list":["post-53212","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"\nUnfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-10-20T21:54:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T01:09:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Home_2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1916\" \/>\n\t<meta property=\"og:image:height\" content=\"860\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Unfolding the Mystery of Cerber Ransomware’s Random File Extension\",\"datePublished\":\"2016-10-20T21:54:41+00:00\",\"dateModified\":\"2025-06-09T01:09:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\"},\"wordCount\":915,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\",\"name\":\"Unfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png\",\"datePublished\":\"2016-10-20T21:54:41+00:00\",\"dateModified\":\"2025-06-09T01:09:53+00:00\",\"description\":\"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Unfolding the Mystery of Cerber Ransomware’s Random File Extension\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog","description":"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Unfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog","og_description":"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-10-20T21:54:41+00:00","article_modified_time":"2025-06-09T01:09:53+00:00","og_image":[{"width":1916,"height":860,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Home_2.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Unfolding the Mystery of Cerber Ransomware’s Random File Extension","datePublished":"2016-10-20T21:54:41+00:00","dateModified":"2025-06-09T01:09:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/"},"wordCount":915,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png","keywords":["computer security","cybercrime","endpoint protection","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/","name":"Unfolding the Mystery of Cerber Ransomware's Random File Extension | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png","datePublished":"2016-10-20T21:54:41+00:00","dateModified":"2025-06-09T01:09:53+00:00","description":"This blog post was written by Sudhanshu Dubey. In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Home_2-1024x460.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unfolding-the-mystery-of-cerber-ransomwares-random-file-extension\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Unfolding the Mystery of Cerber Ransomware’s Random File Extension"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=53212"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53212\/revisions"}],"predecessor-version":[{"id":215266,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/53212\/revisions\/215266"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=53212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=53212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=53212"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=53212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}