Cerber Ransomware - How to remove?


Cerber Ransomware is another program that infiltrates into computers without user’s knowledge and xtncrypts their important files. It works exactly the same as previously released Locky Ransomware, CryptoWall Ransomware, TeslaCrypt Ransomware, CTB Locker, etc. The only difference among all of them is the size of the ransom it asks for. The application is normally distributed with spam emails, so users should be more careful with them. Also pay more attention to your downloads form the Internet and make sure you choose reliable sources.

Cerber Ransomware usually locks files with .jpg, .doc, .raw., .avi, etc. extensions and adds .cerber extension. Then it displays a warning demanding users to pay a ransom in 7 days if they want to unlock their files. Usually it asks for 1.24 BitCoin which is more than $500. Here is how the message by Cerber Ransomware looks like:

Your documents, photos, databases and other important files have been encrypted!
To decrypt your files you need to buy the special software – <<Cerber Decryptor>>.
All transactions should be performed via bitcoin network only.
Within 5 days you can purchase this product at a special price: B0.9292 (~$600).
All 5 days that price of this product will increase up to: B1.8584 (~$1200).

or (older version):

Your documents, photos, databases and other important files have been encrypted!
To decrypt your files follow the instructions:
1. Downlaod and install the “Tor Browser” from https://www.torproject.org/
2. Run it
3. In the “Tor Browser” open website:
4. Follow the instructions at this website

And here is how the instructions looks like:

How to get “Cerber Decryptor”?
1. Create a Bitcoin Wallet (we recommend Blockchain.info)
2. Buy necessary amount of Bitcoins
Do not forget about the transaction commission in the Bitcoint network (~B 0.0005).
Here are our recommendations:
LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins;
CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins;
BTCDirect.eu – the best for Europe;
CEX.IO – Visa / MasterCard;
CoinMama.com – Visa / MasterCard;
HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency.

3. Send B 1.24 to the following address
4. Control the amount transaction at the “Payments History” panel below
5. Get the link and download the software

It seems to be so easy, however, it is not exactly so. If you don’t pay the ransom in 7 days, it states that the amount will be doubled to 2.48 BTC. On top of that, Cerber ransomware has an ability to recite its ransom message out loud to the victim via VBScript. This is quite new feature among recent ransomware releases. The message usually sounds like that:

Attention! Attention! Attention!
Your documents, photos, databases and other important files have been encrypted!

This is quite a scary message especially if you listen to it out of nowhere. It obviously increases the chances that the victims will just follow what the ransomware asks to do. On top of that, you will see another message on your desktop that looks like this:

Your documents, photos, databases and other important files have been encrypted!
If you understand all importance of the situation the we propose to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.
The is a list of temporary addresses to go on your personal page below:

How to decrypt files locked by Cerber ransomware?

Unfortunately, no matter if you pay the ransom, there are no guarantees that you will get your files back. You can easily just lose your money and get no decryption key. For this reason, the best way to retrieve your files is by restoring them from a backup. Here is when you realize how important is to make regular backups.

We highly recommend to take a better care at protecting your computer from this kind of infections. Make sure you have a good antivirus installed and additionally we recommend getting an anti-malware program for example, Reimage, SpyHunter or Malwarebytes. Keep them up to date to get the best out of their performances.

Update of the 14th of December, 2016. Microsoft Malware Protection Center has detected that Cerber ransomware is spread via fake credit card e-mail reports, containing the infected Word file:

Update of the 22nd of December, 2016. At this time it was noticed that Cerber ransomware does not delete the Shadow Volume Copies. Thus, affected users can use them in the place of their encrypted data.

Update of the 24th of December, 2016. The new version of Cerber crypto-virus leaves _{RAND}_README.hta and _{RAND}_README.jpg files as ransom notes.

Update of the 18th of January, 2017. Cerber now leaves _HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg and .hta notes as the ransom letters.

Update of the 23rd of January, 2017. Now, researchers have obtained more information about how exactly does Cerber crypto-virus proceeds. Thanks to a recently discovered vulnerability, it is now possible to enter one of the servers that belongs to the creators of Cerber. This mistake allowed experts to find out that the ransomware mostly targets people from Europe and America. As it was also indicated: Cerber nightmare is capable of sending close to nine thousand malicious spam letters per day.

Update of the 20th of February, 2017. New variations of Cerber have been spotted. The first one appears to be only encrypting files that would not influence the proceeding of various security applications. This basically means that this variant will allow a device to keep its security products functional. The second sample of Cerber  adds .encryptedyourfiles extension to each encrypted piece of data. 001-READ-FOR-DECRYPT-FILES.html is the file that opens up in the preferred browser and functions as a ransom note.

Update of the 3rd of March, 2017. A couple of applications from Google Play Store have been noticed to contain a Cerber ransom note called README.hta.

Update of the 10th of March, 2017. A new variant of Cerber ransomware, one of the most fearsome viruses around, was detected. This one does not seem to scramble filenames and leaves them intact. However, this is not a very joyous feature: it is quite useful to be able to separate encrypted data from untouched one. To ease this process, ransomware still appends an extension at the end of the file. However, there does not seem to be a specific extension for all of the victims of this variant. It appears that extension is going to be individual for every affected user.

How to recover Cerber Ransomware encrypted files and remove the virus

Using System Restore to restore PC to previous state

1. Reboot your computer to Safe Mode with Command Prompt 

for Windows 7 / Vista/ XP

  • Start → Shutdown → Restart → OK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt.

for Windows 8 / 10

  • Press Power at Windows login screen. Then press and hold Shift key and click Restart.
  • Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

2. Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.
  • Click “Next” in the windows that appeared.
  • Select one of the Restore Points that are available before Cerber Ransomware has infiltrated to your system and then click “Next”.
  • To start System restore click “Yes”.

3. Complete removal of Cerber Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage, Spyhunter and remove all malicious files related to Cerber Ransomware.

4. Restore Cerber Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Cerber Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select Properties>Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

5. Use Data Recovery programs to recover Cerber Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  1. We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  2. Download Data Recovery Pro (commercial)
  3. Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Automatic Cerber Ransomware removal tools


Other tools

  0   0
  0   0
    Malwarebytes Anti-Malware
  Download Reimage for Cerber Ransomware detectionNote: Reimage trial provides detection of parasite like Cerber Ransomware and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
  We might be affiliated with some of these programs. Full information is available in disclosure 

Cerber Ransomware screenshots

March 8, 2016 03:52, March 10, 2017 06:22
Fill this form to subscribe to our newsletter

3 thoughts on “Cerber Ransomware

  1. Is there any way I can decrypt my files? Unfortunately, I hadn’t backed them up. Have you tested if any recovery tools are effective against this? Don’t wanna waste my money if they’re not though

    • There is no decryptor for cerber as far as I know. You could try to restore the files with some file recovery program.

Leave a Reply

Your email address will not be published. Required fields are marked *

Cerber Ransomware facts