Kaspersky and other information security firms mentioned 2016 as the year of Ransomware. The impact of attacks has allowed financial damage on the business or individual. The FBI estimates that losses incurred in 2016 will top US$ 3 billion. Meanwhile, cyber criminals use malware: Trojans, Spyware, and Keyloggers, all of which require long tremendous effort to transfer benefits into their bank accounts; while Ransomware makes the process automatic and easy by using a business model of Ransomware as a Service (RaaS). Therefore, Ransomware are made more sophisticated and more effective as to avoid detection and analysis. In this paper, we present a new insight into detection by analyzing Cerber Ransomware using Network-Forensic-Behavioral-Based. This paper is aimed to reconstruct the attack of timestamp, to identify the infected host and malware, to compromise websites involved in the chain of infection, to find campaigns scripts, and to exploit kits and payload Ransomware.