What is Cerber?
Cerber is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Notice that some variants of this ransomware add random file extensions – for example: “.ba99”, ”.98a0“, “.a37b“, “.a563” etc. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double. Some variants of this ransomware disclose their versions – for example: Cerber Ransomware 4.1.5″, “Cerber Ransomware 4.1.6”, “Cerber Ransomware 5.0.0” ( the latest variant demands a ransom of $499) etc.
During encryption, Cerber creates three different files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, and #DECRYPT MY FILES#.vbs) containing step-by-step payment instructions (never variants use only one file “_README_.hta“) in each folder containing the encrypted files. The message within these files states that users can only decrypt their files using a decryptor developed by cyber criminals (called ‘Cerber Decryptor’). The #DECRYPT MY FILES#.vbs file contains a VBScript, which when executed, plays the message, “Your documents, databases and other important files have been encrypted!” through the computer speakers. To download the decryptor, a ransom payment of 1.24 BitCoin (at time of research, equivalent to $546.72) is required. If the ransom is not paid within seven days, it doubles to 2.48 BTC. It is also stated that users can only pay using the Tor browser and by following instructions within the indicated website. Unfortunately, at time of research, there were no tools capable of decrypting files affected by Cerber. Therefore, the only solution to this problem is to restore your system from a backup.
After encrypting files, Cerber ransomware changes desktop wallpaper:
Update 1 December, 2016 – Cerber ransomware was updated by cyber criminals. The most noticeable changes include the use of red colour for the desktop wallpaper. The ransom demanding message is now presented in _README_[RANDOM]_.hta file. Cyber criminals no longer provide the version number of this ransomware. The ransom amount at the time of writing this article was $499 payable in Bitcoins.
Victims of Cerber ransomware can use a decrypter called “Trend Micro Ransomware File Decryptor tool” to decrypt their files for free. Download is HERE. (Unfortunately this tool is no longer available) You can view a video tutorial of how to use this tool HERE. Here’s a screenshot of this tool:
Update 17 August 2016 – Check Point Software Technologies Ltd. company has released a decrypter for Cerber ransomware. At the time of testing it was able to decrypt files with .cerber and .cerber2 extensions. To decrypt their files victims should visit THIS website and follow the simple 7 steps to decrypt their files for free. Unfortunately cyber criminals have updated their ransomware and this tool no longer works. Here’s a screenshot of Cerber Ransomware Dceryption Tool website:
Text presented on the wallpaper of Cerber ransomware:
You documents, photos, databases and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page.
A screenshot of Cerber ransomware website (used to provide victims with ransom payment instructions, provide support, etc.):
Text presented in the homepage of Cerber ransomware:
Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «Cerber Decryptor». All transactions should be performed via Bitcoin network only. Within 5 days you can purchase this product at a special price: 0.750 (≈ $518). After 5 days the price of this product will increase up to: 1.500 (≈ $1036).
As with other crypto ransomware, Cerber shares many similarities with many other malware infections such as Locky, CryptoWall, CTB-Locker, Crypt0L0cker, and TeslaCrypt. All have identical behavior – they encrypt files and encourage users to pay a ransom to decrypt them. The only difference between these viruses is the algorithm used to encrypt the files and size of ransom. Be aware that there is no guarantee that your files will ever be decrypted even after paying the ransom. Paying is equivalent to sending your money for cyber criminals – you merely support their malicious businesses. Therefore, never pay the ransom and do not attempt to contact these people. Malware such as Cerber is mostly proliferated via malicious e-mail attachments, peer-to-peer (P2P) networks (for example, Torrent), fake software updates, and trojans. Be cautious when opening attachments from unrecognized emails and ensure that your chosen files are downloaded from trusted sources. Furthermore, keep all installed software up-to-date and use a legitimate anti-virus or anti-spyware suite.
Screenshot of README.hta file (updated variant of Cerber ransomware now uses this file to open it’s ransom demanding website):
Cerber website FAQ:
Question: How can i decrypt my files after payment?
Answer: After payment, you can download the «Cerber Decryptor» from your personal page. We guarantee that all your files will be decrypted!
Question: My files was infected more then month ago, can i still decrypt it with your software?
Answer: Yes, you can still decrypt your files after the payment!
Cerber website Support:
In case of any problems with payment or having any other questions, please contact us via the contact form.
Cerber website “Decrypt 1 files for Free”:
We give you the opportunity to decipher 1 file free of charge! You can make sure that the service really works and after payment for the «Cerber Decryptor» program you can actually decrypt the files!
Cerber ransomware distributed via spam e-mail attachments (using infected .WSF and .DOC files):
Cerber ransomware is delivered by a rogue document attached to spam emails. Once users open the document, they are encouraged to enable malicious macros – the ransomware then starts to encrypt victims’ data:
Screenshot of a folder that was compromised by Cerber ransomware (all files are renamed and have a .cerber extension):
After infiltrating the victim’s computer, Cerber ransomware targets files with these extensions:
.gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv, .contact, .dbx, .doc, .docx, .jnt, .jpg, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .wab, .xls, .xlsx, .xml, .zip, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb,3dm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .ps, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv
Screenshot of #DECRYPT MY FILES#.html file:
Screenshot of #DECRYPT MY FILES#.txt file:
Cerber Decryptor download instructions:
How to get ?
1. Create a Bitcoin Wallet (we recommend Blockchain.info)
2. Buy necessary amount of Bitcoins
Do not forget about the transaction commission in the Bitcoin network (0.0005 BTC).
3. Send 1.24 Bitcoins to the following Bitcoin address: –
4. Control the amount transaction at he panel below.
5. Get a link and download the software.
Text presented in #DECRYPT MY FILES#.txt file:
CERBER
Cannot your find the files you need? Is the content of the files that you looked for not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware.
#########################################################################
!!! If you are reading this message it means the software
!!! “Cerber Ransomware” has been removed from your computer.#########################################################################
What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorised users. To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case “Cerber Decryptor” software) for safe and complete decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the “Cerber Ransomware” software; the instructions (“#DECRYPT MY FILES #.html” and “# DECRYPT MY FILES #.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Cerber Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.
!!! Any attempts to get back you files with the third-party tools can
!!! be fatal for your encrypted files.The most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place – the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Cerber Ransomware” software may be fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!!since you have read this warning already.#########################################################################
For you information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to:
1. decrypt all you files;
2. work with your documents;
3. view you photos and other media;#########################################################################
What should you do with these addresses? If you read the instructions in TXT format (if you have instructions in HTML (the file with an icon of you Internet browser) then the easiest way is to run it): 1. take a look at the first address 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select “Copy” in the appeared menu; 5. run you Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button “Insert” in the appeared menu; 9. then you will see the address appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the post about working with the addresses in the HTML instructions.
#########################################################################
Additional information: You will find the instructions for restoring your files in those folders where you have encrypted files only. The instructions are made in two file formats – HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and not it depends on your determination and speed of you actions the further life of your files.
Cerber ransomware removal:
Step 1
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in “Safe Mode with Networking”:
Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened “General PC Settings” window, select Advanced startup. Click the “Restart now” button. Your computer will now restart into the “Advanced Startup options menu”. Click the “Troubleshoot” button, and then click the “Advanced options” button. In the advanced option screen, click “Startup settings”. Click the “Restart” button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in “Safe Mode with Networking”:
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click “Restart” while holding “Shift” button on your keyboard. In the “choose an option” window click on the “Troubleshoot”, next select “Advanced options”. In the advanced options menu select “Startup Settings” and click on the “Restart” button. In the following window you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in “Safe Mode with Networking”:
Step 2
Log in to the account infected with the Cerber virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
DOWNLOAD
Remover for .cerber virus
1-866-208-0865
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using “Safe Mode with Command Prompt” and “System Restore”:
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click “Next”.
5. Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the Cerber ransomware virus infiltrating your PC).
6. In the opened window, click “Yes”.
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cerber ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Cerber are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To regain control of the files encrypted by Cerber, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Cerber ransomware.)
HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises any attempts without need for user intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately – before reaching users’ files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove Cerber ransomware:
Originally published @ PC Risk
[themify_button style=”large orange rounded” link=”http://www.itworkz.co.za/whitepapers” ]Why aren’t your leads converting? Find out here[/themify_button]