The JS and Malicious Word docs both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using a URL.It communicates with a Command and Control server after encrypting the user files, and sends encrypted data including a campaign ID. We can infer that this ransomware may be distributed in the Dark Web as a Ransomware-as-a-service (Raas).Cerber is a large ransomware tree that includes many variant, like: Cerber, Cerber 2, Cerber3, Cerber with random extensions, RedCerber, ReadMe Cerber. The virus often spikes up and down.