Cerber virus. How to Remove? (Uninstall Guide)

The overview of ever-evolving Cerber: how it encrypts your files

Cerber virus is a noxious ransomware-type threat, which uses AES encryption system to lock victim's files. Like any other “ransomware" type virus, a user can download it via malicious spam emails that carry an executable virus file. An interesting detail about this virus is that it will not attack your computer if you live in one of these countries - Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. Unfortunately, if none of these is your country of current residence, this virus may potentially hit your computer. It sets itself to run automatically on the next computer startup. Once the computer becomes active, Cerber ransomware starts sending random error messages and then reboots your computer into Safe Mode with Networking. Unfortunately, the virus then restarts your computer again, this time in a normal regime, and starts the encryption process.

Cerber virus. How to Remove? (Uninstall Guide)

Once the encryption process is finished, Cerber virus drops ransom notes in each folder that stores infected files. These notes are named as DECRYPT MY FILES. The file extension may vary, it can be a .html, .txt, or .vbs file. The .vbs file will also play a sound message, which says:

Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!

The ransom note explains what happened to your computer and provides instructions how to retrieve your files. Shortly said, Cerber developers ask you to download Tor browser to access the website where you can pay the ransom anonymously. It demands the victim to pay 1.25 BitCoins, which is approximately $512 USD. It also threatens that the ransom will be doubled if the victim does not pay within seven days. If the ransom is paid, this ransomware should supposedly provide a unique download link to get a Cerber decryption tool. Otherwise, there is no way to decrypt files for free.

Is there a way to recover the files?

Unfortunately, it is impossible to decrypt the files locked by Cerber ransomware without paying the ransom. However, it is not recommended to pay up because it only encourages the cyber criminals to continue their fraudulent activities and create more computer viruses. Plus, bear in mind that there is NO guarantee cyber criminals are actually going to help you to recover your files. You may not receive the Cerber decryptor at all, even if you pay up. Also, this tool may be corrupted, bring other malware on your computer and this way, damage it even more. Therefore, you should not collaborate with the cyber criminals on any level, because their main intention is to make money, and they will do their best to make their efforts to pay off.

Deleting the virus from your computer will not help to eliminate the cypher from the files. Trying to recover your files using hacker-suggested Cyber decryptor tool is not safe either. The best decision is to turn to some more reliable ways to recover your data. The quickest and the safest way to achieve that is by importing your data from a backup device. We strongly recommend you NOT to keep the copies of your data on online storage clouds, because some viruses can access them via your Internet connection and corrupt them, too. It is best to keep your files stored on some external drive and update it regularly. But there are risks here too. If the external drive is plugged into the computer at the time of the virus infiltration, the files in the storage will most likely be encrypted too. So, you have make sure that you unplug the external storage device from your computer every time you backup some files. If you do not have a backup, you might want to try these decryption tools - Photorec, Kaspersky virus-fighting utilities or R-Studio. Keep in mind that you must eliminate the Cerber virus from your device completely before you attempt to recover your files in either of the ways mentioned above. You can do that using anti-malware software like Reimage.

UPDATE August 2016: Malware researchers have managed to find flaws in Cerber ransomware project and managed to launch a site that allowed victims to decrypt .cerber and .cerber2 files for free. Although authors of this site do not provide any information on how did they manage to defeat Cerber, some security experts had guessed that they have managed to find out what the Master Decryption Key is. It appears that this was not true, and most likely they have found a flaw in Cerber's C&C server. Reportedly, hundreds of victims who followed news about Cerber virus managed to decrypt their precious files for free. Sadly, organized criminals quickly found the flaw and patched it, so as a result, it is no longer possible to decrypt files using this decryption service anymore. What is more, Cerber's payment site has been improved by adding Captcha system, which helps to avoid automated attempts to access the site. It seems that this ransomware gang is well-organized and determined to keep this virus undefeatable, which is a horrifying fact. Therefore, computer users are advised to take precautions, create data backups and protect computers with proper anti-virus solution to prevent ransomware attack, because, at the moment, there is no way to recover encrypted data using decryption tools.

UPDATE September 2016: Some concerning news has just reached 2-spyware team about a new version of the Cerber virus that has been potentially released earlier this month. It would now be the third variant of this malicious ransomware infection. In fact, such turn of events was already anticipated. It is typical for the ransomware developers to improve and perfect their malicious creations. Currently, we do not have much information about the Cerber 3.0 (you can read about it here - What is known about Cerber3 file extension virus?), but it is likely that this new version of the virus will be even more malicious and destructive. The hackers had plenty of time to fix the bugs found in the previous two version and are now ready to continue their rampage with a new force. We will keep you updated if the claims about Cerber 3 turn out to be true. In the meanwhile, you should start taking serious precautions and backup your data if you haven’t done that yet. This way, you will be confident that your precious data is secure.

It seems that the ransomware is getting more aggressive each day. Now this menace might befall you even in legitimate websites. Virus researchers reported that Ammyy Admin web page has been infected. It distributed the file with this malware in it. It is suspected that the website dispersed the virus for several days, approximately from the 13th to 15th of September. The binary, which was entitled as an encrypted.exe, was placed in AA_v3.exe. Previously, this domain was assaulted by other highly damaging malware in the future. At the moment, the website is fully restored and safe for public use.

Versions of Cerber malware

Cerber Decryptor. This tool is offered by Cerber's authors, who advertise it as a program that supposedly can recover encrypted data for the victim. This might not be true because you can never rely on cyber criminals' words. This piece of malware can be bought in Bitcoins, but there is no information whether it decrypts files or not. Even if it does, remember that criminals can send it to you in a bundle with malicious files or Trojans, which can cause further security problems to you. Malware researchers always suggest not to rely on cyber criminals and decryption services that they offer. Besides, paying the ransom would fund further projects of malware creators, so you may want to think twice before you reach out for your credit card.

Cerber2 ransomware. As the name of the virus suggests, this is the second version of Cyber virus. It was released in August 2016, and it seems to be distributed via drive-by downloads, malvertising, and malicious email campaigns. This virus locks the data using nearly unbreakable encryption algorithm and adds .cerber2 file extension to them. Once encrypted, files cannot be accessed in any way without having the decryption key. Of course, you can get the decryption key, but crooks ask to pay money for it, in other words, you need to pay a ransom to get your files back. It is strongly recommended not to pay the ransom as Cerber2 decryption tool might have flaws and not decrypt the data entirely. Just like other ransomware decryptors offered by ransomware authors, this one can be supplemented with harmful additional files as well. Security experts recommend removing Cerber 2.0 virus as soon as the victim notices that the computer has been compromised by it and retrieve lost data from backups.

Cerber3 ransomware. The new version proves to be more powerful than ever before. Now the ransomware appends .cerber3 extension to the encrypted data. There are also changes regarding its ransom note. While previously it demanded the ransom in a # DECRYPT MY FILES #.txt or the # DECRYPT MY FILES #.html file, now the recovery instructions are presented in # HELP DECRYPT #.html. Throughout its existence, the malware has already wheedled out stunning amounts of money. That is why we do not suggest transferring the money. There are no guarantees for recovering the data from the hackers. Lastly, the threat spreads via the same channels: spam emails and infected advertisements and links.

How does the ransomware manage to invade the PC?

Reportedly, Cerber malware permits other cyber criminals to join its affiliate network and allows them to distribute this virus however they want. The original developers of Cerber take part of the profit and allow the affiliates to keep the rest of it. Be aware that cyber criminals mostly distribute this virus via spam emails, so make sure you do not open any suspicious emails that come from unknown senders. Even though most of such malicious correspondence on up on “Spam” catalog, there is no guarantee that a virus-carrying email will not slip to your regular Inbox as well. So, you should be particularly careful about opening any attachments that come from unknown sources and are accompanied by suspicious emails. Often the cyber criminals will pose as representatives of governmental or law enforcement institutions, so it is recommended that you always check the legitimacy of such emails if you receive any. Cerber ransomware can also enter your computer with a help of Trojans. Therefore, you should avoid untrustworthy download websites because you might download an infected file that has this malicious virus carrier attached to it. Needless to mention, you should avoid visiting high-risk web pages and interacting with the pop-ups and other notifications you may encounter there.

Cerber elimination instructions

There is no doubt that Cerber ransomware is one of the most dangerous computer viruses of today. Computer experts are still working to create a decryption tool to help Cerber victims decrypt their files, but at the time of writing, there are no ways to decrypt the encrypted files without paying the ransom. However, if you are not willing to pay up, we suggest you to remove Cerber virus as soon as possible. It is a dangerous and well-structured computer threat. Therefore, computer experts recommend using a professional malware removal tool to eliminate it from a victimized computer. However, you should bear in mind that Cerber removal may not always go as smooth as you hope it would. The virus may try tackling your antivirus just to remain on your PC. So, if your antivirus does not initiate the scan or is unable to remove the virus, please follow the instructions provided below and try scanning your computer again.

Tags: cerber virus removal tool free, cerber virus removal tool, cerber virus wiki, cerber virus remove, cerber virus mcafee, cerber virus kaspersky, cerber virus dropbox, cerber virus recover files, cerber virus reddit, cerber virus file recovery

No comments