A Cerber variant has been spotted in the wild in the past month. It uses a function that searches for locally-installed security products and avoids encrypting their files. Cerber’s behavior is normal, with the same ransom demand, the same wallpapers, and the same file and folders whitelist. Researchers say the behavior is most likely useless, as Cerber already whitelists EXE files, DLL files, and applications installed in the Program Files folder. It’s most likely an offshoot modified by someone who rented the Cerber family.
Source: https://www.bleepingcomputer.com/news/security/cerber-ransomware-doesnt-encrypt-files-belonging-to-security-products/