Cerber Ransomware - How To Remove?

-
 3
Type: Ransomware
 

Cerber Ransomware is another program that infiltrates into computers without user’s knowledge and xtncrypts their important files. It works exactly the same as previously released Locky Ransomware, CryptoWall Ransomware, TeslaCrypt Ransomware, CTB Locker, etc. The only difference among all of them is the size of the ransom it asks for. The application is normally distributed with spam emails, so users should be more careful with them. Also pay more attention to your downloads form the Internet and make sure you choose reliable sources.

New version of Cerber malware can steal bitcoin wallet credentials

On August 10, security experts had to face a very disturbing news: Magnitude exploit kit has adopted a highly-sophisticated method to deliver Cerber ransomware virus (1). The newly-discovered technique allows malware to function in an impressive level of evasiveness and trick anti-virus tools. The curious exploit kit transmits a malicious executable not in a condition of being RC4 encoded, but modified in a way that its size would be inflated before it is ran.

Cerber ransomware virus


However, this is not the only alert, regarding Cerber crypto-virus. Like many researchers predicted, this successful and constantly-improved is not planning to give up anytime soon (2). Currently, a novel version of Cerber has been detected to function with very special feature. Apparently, the infection has grown to the level that it can obtain victims’ bitcoin wallet information and its credentials (3). Furthermore, hackers’ will remove the bitcoin account they have extorted assets from.

Therefore, hackers do not even need to have their targets pay ransom: infecting them is more than enough. However, infecting victims might not be as easy as there are certain malfunctions in the discovered sample of Cerber malware threat. In addition to being awfully interested in victims’ bitcoin wallet, the sample also does not feel too-good to steal credentials that are preserved in Mozilla Firefox, Google Chrome and Internet Explorer (4).

Symptoms of an infection with Cerber crypto-virus

Cerber Ransomware usually locks files with .jpg, .doc, .raw., .avi, etc. extensions and adds .cerber extension. Then it displays a warning demanding users to pay a ransom in 7 days if they want to unlock their files. Usually it asks for 1.24 BitCoin which is more than $500. Here is how the message by Cerber Ransomware looks like:

Your documents, photos, databases and other important files have been encrypted!
To decrypt your files you need to buy the special software – <<Cerber Decryptor>>.
All transactions should be performed via bitcoin network only.
Within 5 days you can purchase this product at a special price: B0.9292 (~$600).
All 5 days that price of this product will increase up to: B1.8584 (~$1200).

or (older version):

Cerber
Your documents, photos, databases and other important files have been encrypted!
To decrypt your files follow the instructions:
1. Downlaod and install the “Tor Browser” from https://www.torproject.org/
2. Run it
3. In the “Tor Browser” open website:
http://decrypttozxybarc.onion/
4. Follow the instructions at this website

And here is how the instructions looks like:

How to get “Cerber Decryptor”?
1. Create a Bitcoin Wallet (we recommend Blockchain.info)
2. Buy necessary amount of Bitcoins
Do not forget about the transaction commission in the Bitcoint network (~B 0.0005).
Here are our recommendations:
LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins;
CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins;
BTCDirect.eu – the best for Europe;
CEX.IO – Visa / MasterCard;
CoinMama.com – Visa / MasterCard;
HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency.

3. Send B 1.24 to the following address
4. Control the amount transaction at the “Payments History” panel below
5. Get the link and download the software

It seems to be so easy, however, it is not exactly so. If you don’t pay the ransom in 7 days, it states that the amount will be doubled to 2.48 BTC. On top of that, Cerber ransomware has an ability to recite its ransom message out loud to the victim via VBScript. This is quite new feature among recent ransomware releases. The message usually sounds like that:

Attention! Attention! Attention!
Your documents, photos, databases and other important files have been encrypted!

This is quite a scary message especially if you listen to it out of nowhere. It obviously increases the chances that the victims will just follow what the ransomware asks to do. On top of that, you will see another message on your desktop that looks like this:

Your documents, photos, databases and other important files have been encrypted!
If you understand all importance of the situation the we propose to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.
The is a list of temporary addresses to go on your personal page below:

How to decrypt files locked by Cerber ransomware?

Unfortunately, no matter if you pay the ransom, there are no guarantees that you will get your files back. You can easily just lose your money and get no decryption key. For this reason, the best way to retrieve your files is by restoring them from a backup. Here is when you realize how important is to make regular backups.

We highly recommend to take a better care at protecting your computer from this kind of infections. Make sure you have a good antivirus installed and additionally we recommend getting an anti-malware program for example, Reimage, SpyHunter or Malwarebytes. Keep them up to date to get the best out of their performances.

Update of the 14th of December, 2016. Microsoft Malware Protection Center has detected that Cerber ransomware is spread via fake credit card e-mail reports, containing the infected Word file:

Update of the 22nd of December, 2016. At this time it was noticed that Cerber ransomware does not delete the Shadow Volume Copies. Thus, affected users can use them in the place of their encrypted data.

Update of the 24th of December, 2016. The new version of Cerber crypto-virus leaves _{RAND}_README.hta and _{RAND}_README.jpg files as ransom notes.

Update of the 18th of January, 2017. Cerber now leaves _HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg and .hta notes as the ransom letters.

Update of the 23rd of January, 2017. Now, researchers have obtained more information about how exactly does Cerber crypto-virus proceeds. Thanks to a recently discovered vulnerability, it is now possible to enter one of the servers that belongs to the creators of Cerber. This mistake allowed experts to find out that the ransomware mostly targets people from Europe and America. As it was also indicated: Cerber nightmare is capable of sending close to nine thousand malicious spam letters per day.

Update of the 20th of February, 2017. New variations of Cerber have been spotted. The first one appears to be only encrypting files that would not influence the proceeding of various security applications. This basically means that this variant will allow a device to keep its security products functional. The second sample of Cerber adds .encryptedyourfiles extension to each encrypted piece of data. 001-READ-FOR-DECRYPT-FILES.html is the file that opens up in the preferred browser and functions as a ransom note.

Update of the 3rd of March, 2017. A couple of applications from Google Play Store have been noticed to contain a Cerber ransom note called README.hta.

Update of the 10th of March, 2017. A new variant of Cerber ransomware, one of the most fearsome viruses around, was detected. This one does not seem to scramble filenames and leaves them intact. However, this is not a very joyous feature: it is quite useful to be able to separate encrypted data from untouched one. To ease this process, ransomware still appends an extension at the end of the file. However, there does not seem to be a specific extension for all of the victims of this variant. It appears that extension is going to be individual for every affected user.

Update of the 10th of April, 2017. Cerber inserts a different text file with instructions: _READ_THI$_FILE_%random%_(hta|jpeg|txt).

Update of the 18th of April, 2017. This year has been a real roller coaster for security researchers. Why? More than ever ransomware variants have emerged and some of them quickly got way ahead of other variants. Cerber, despite being a variant from 2016, has sustained its position as a leader when it comes to the most active infections. It defeats such examples as Locky, Jigsaw or Spora. Right now, Cerber ransomware is the one to be afraid of.

Update 17th of August, 2017. A new batch of Cerber ransomware tries to avoid detection by trying to avoid folders with canary files. Canary files are files that are monitored by specific antiviruses for access and changes. This allows protecting folders with important documents by adding fake files, e.g. some sort of document files (.docx) renamed to .jpg. (5)


Automatic Cerber Ransomware removal tools

 
 
Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

How to recover Cerber Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Cerber Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Cerber Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Cerber Ransomware. You can check other tools here.


Step 3. Restore Cerber Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Cerber Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Cerber Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

References:

  1. Cerber ransomware using Magnitude EK and binary padding. Scmagazine.com. 
  2. Ransomware Not Going Anywhere Anytime Soon, Says Google. News.filehippo.com. 
  3. Cerber Ransomware Is Now Capable of Stealing Browser Passwords, Bitcoin Wallet Data. Securingtomorrow.mcafee.com.
  4. Cerber Ransomware Now Steals Bitcoin Data. Securityintelligence.com. 
  5. Cerber Ransomware vs canary files  http://securityaffairs.co/

     
 

About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

 
March 8, 2016 03:52, August 17, 2017 05:47
 
   
 

3 thoughts on “Cerber Ransomware

3 Comments
  1. Is there any way I can decrypt my files? Unfortunately, I hadn’t backed them up. Have you tested if any recovery tools are effective against this? Don’t wanna waste my money if they’re not though

  2. There is no decryptor for cerber as far as I know. You could try to restore the files with some file recovery program.

Leave a Reply

Your email address will not be published. Required fields are marked *