Remove Cerber ransomware virus and recover files (February 2017)
What is Cerber?
The Cerber is a ransomware virus that encrypts files on your system with various algorithms. Files will be renamed with different extensions like .cerber, .cerber2, .cerber3. It is spreading like any other ransomware type of virus by using spam emails that carry a malicious downloader file. There is an interesting observation about Cerber ransomware – it doesn`t infect users from listed countries: Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. The developers of this virus are using a simple trick to detect where the computer comes from – they are checking the Language preferences of your system. If the program detects one of the listed above languages, Cerber ransomware will not encrypt your information. If you are not the resident of these countries, you may try to add one of these languages to your keyboard, this may help you prevent the infection in the first place.
There are a lot of types and versions of Cerber ransomware, it is developing and improving rapidly. Every time cyber criminals adding some new features and function to make it more deadly and make the encryption more efficient. The latest version of Cerber ransomware uses Nemucod downloader and RIG exploit kit. This allows cyber criminals spread their infection more effectively. It also creates new ransom notes – _HELP_HELP_HELP_%random%.jpg and _HELP_HELP_HELP_%random%.hta. There are two interesting differences from the previous versions. First, Cerber doesn`t encrypt files from security software anymore, it avoids any contact with them at all. Along with this avoids other defenses like firewalls, cleaners, antispyware and so on. Second, some sample of the latest Cerber`s creation hasn`t removed any shadow copies of the infected Systems. This new gives hope for some users that they will be able to recover their files with no problems.
How Cerber ransomware infects computers?
Due to its long period of existence, this virus uses various spreading techniques. It can be downloaded by anyone from various compromised websites and domains. But the most effective and popular way of installation is through email attachments. What is interesting, it`s that developers of this ransomware are allowing other cyber criminals to join their affiliate network and distribute this malicious program by any means necessary. Original developers are splitting the profit 60\40. Affiliates are getting the bigger cut, which makes it in their interests to spread as many samples as possible. But in most cases people receiving spam messages on their email from cyber criminals with different suggestions. They will try to make users open the attached .doc or .docm file, masking it as a bank billing form or Invoice.
In truth, this document has an attached macro that downloads the Cerber ransomware infector. In order for this to happen, a user must enable content on this document, after that malicious Macro will start the download.
Once the download is over, Cerber ransomware will start the encryption process. The algorithms of encryption can be different in each version along with the ransom fee. In most cases, user won`t even notice anything wrong until its too late. To make maximum damage to your files, developers of Cerber have chosen a lot of file extension that they will target. The only exceptions will be system files so that user could pay the ransom through this infected computer. Here is a list of targeted file extensions:
.gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv, .contact, .dbx, .doc, .docx, .jnt, .jpg, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .wab, .xls, .xlsx, .xml, .zip, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb,3dm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .ps, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv
Files with these extensions will be encrypted with AES algorithm unless they are located in critical system folders. During this process, Cerber ransomware also renames these files and adds its own extension, for example, random .ba99, .98a0, .a37b, .a563 or .cerber, .cerber2, .cerber3. After the encryption process, your desktop background will be changed and you will see next picture:
The ransom amount at the time of writing this article was 0.5 BitCoins ($559 US). It may depend on the country or version of Cerber ransomware.
STEP 1. Cerber recovery guide
Ransomware is a very dangerous kind of infection that evolves every day, making it harder to recover your files from encryption. Developers are removing all shadow copies of your standard windows recovery tools and you simply have no backups anymore.
With time, ransomware infection has learned to remove all backups of your system in order to make impossible the recovery of your files.
Please Note: It is still possible that some ransomware can’t remove backups in your system and you will be able to recover your information with use of simple Windows Recovery tools by following instructions below:
To make the recovery process more reliable, you need to boot your computer in Safe Mode with command prompt.
For Windows 7: You need to reboot your system and before its loaded constantly press “F8” button until you see boot options.
- For Windows 8/10: Press the “Power” button from Windows login screen or Settings. Hold the Shift key on your keyboard and click on “Restart”
- After your computer reboots – Click on “Troubleshoot” – press “Advanced options” – “Startup Settings”
- Click the “Restart” button and your computer will reload again and show you the list with all options. You need to choose the “Safe Mode with Command Prompt”
- When your windows loads, enter the following line: cd restore and press Enter.
- After that type rstrui.exe line and press Enter.
- A recovery window will open before you, Click Next to proceed.
- In the next window, you need to choose a Restore point. All files in protected drives will be recovered at the time when this point was created (prior to the infection with Cerber). In the case when ransomware removes these backups, there will be no Restore points listed. Select a Restore point and click “Next”.
- Click “Finish” in this window and confirm the recovery process by pressing “Yes“.
Here is a video example of the recovery process:
STEP 2. Removing traces of Cerber ransomware
Once the recovery process is complete, you should consider scanning your computer with a GridinSoft Anti-Malware in order to find any traces of Cerber infection. Though some ransomware viruses are removing themselves right after the encryption of your files, some may leave malicious processes on your computer for special purposes of cyber criminals.
Download GridinSoft Anti-Malware protection from the link below:
Example of scanning process of GridinSoft Anti-Malware:
Use of On-run protection may additionaly prevent different types of cyber attacks, our protect may flag the downloader of the ransomware as a malicious application preventing the download of Cerber.
STEP 3. Prevent the Cerber ransomware infection with GridinSoft Anti-Ransomware
Though ransomware is able to remove shadow copies of your OS, our product GridinSoft Anti-Ransomware is able to protect them from the removing in the first place. When some kind of a malicious program or ransomware virus tries to delete your backups, out program intercepts this request and blocks the sending process.
Note: that the product is still in Beta testing phase, some bugs and glitches are possible.
Besides the protection tool, you should read and learn few simple rules. Follow them every time you work on your computer and your will decrease chances of your infection to a minimum:
- Don’t open suspicious spam letters. No way. Be very careful with your downloads. Download and install software preferably from its official website.
- Do backups of your important files regularly. Storing your really important files in few different places is a good decision.
- Keep your system free from adware, hijackers and PUPs The infected computer will be more likely compromised with other malicious software, and ransomware is not an exception in this case.
- Don’t panic and be reasonable. Don’t pay the ransom fee right after you got infected, it is always best to search on the internet for some answers. It is possible that someone have developed a decription tool that might help you.
Leave your comments and questions below to help us and other users to improve this guide, or use our ticket system to make contact with our professional support team. We will gladly help you!