Cerber Ransomware

Cerber Ransomware is a new ransomware application that was first discovered at the end of February 2016. The program exhibits common ransomware infection symptoms, although it comes with additional features that may freak out even the most cold-blooded user.

Unfortunately, there is no way to decrypt the files affected by the infection at the moment, but you still need to remove Cerber Ransomware from your system, to ensure that no other malicious program manages to enter your computer. Ransomware Trojans are known to be able to download backdoors and other malicious programs onto target systems, so you need to do everything in your power to prevent that from happening.

Sometimes a ransomware program would lock out the affected user from their computer, to make the matters look worse, but that does not happen with this infection. Nevertheless, Cerber Ransomware does something spookier. The infection “speaks” to its victims. One of the ransom note files has a VBScript, which eventually can make the computer launch an audio message that informs you that the encryption has taken place. To make matters worse, the audio message repeats itself over and over again. It will say: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!”

Aside from the creepy audio message, you will also see several notifications on your screen that will help you get the hang of what is going on with your computer. Cerber Ransomware will show a message that reads as follows:

Your documents, photos, databases and other important files have been encrypted!
To decrypt files follow the instructions:
1. Download and install the “Tor Browser” from https://www.torproject.org
2. Run it
3. In the “Tor Browser” open website:
http://decrypttozxybarc.onion/437A-A5A7-C7B8-0042-F5EC
4. Follow the instructions at this website

If that were not enough, the malware ends this message with a quote in Latin that says “Quod me non necat me fortiorem facit,” which basically translates into “what doesn’t kill me makes me stronger,” but it is doubtful whether the users infected with this program would find the quote encouraging.

To decrypt the files that have been affected by Cerber Ransomware, you are asked to pay 1.24 bitcoin, which is approximately ~$522. This is the usual price range for the ransom fee requested by similar infections. However, the program gives you limited time to pay the ransom and says if you fail to transfer the ransom fee within 7 days, the price of the decryption key will increase up to 2.48 bitcoin (or ~$1044).

Should you pay the ransom fee? Absolutely not, by paying the fee you would only give the cyber criminals what they want, and even if they do intend to issue the decryption key, there is no guarantee you will receive it. As you can see in the ransom notification, Cerber Ransomware makes use of the Tor network for communication and payment collection. This network may not be as stable as you would want it to be. It depends on proxies, and some proxy providers may take their proxy server down if they find out that the server has been used for malicious purposes. Thus, it is possible that the server could be taken down in between the transfer, and while the criminals receive your payment, you may not be able to get the decryption key back.

How to restore your files then? The best option would be a file backup. Perhaps you have heard this countless of times before, but it is extremely important to keep a file backup either on an external drive or in a virtual cloud storage. Disregarding the potential of the ransomware infection, you should still consider all the other potential risks that are related to file loss. Ask any computer specialists and you will be told that keeping additional copies of your files someplace else is your best shot and protecting your files.

If you do not have a backup, you may try restoring the files from Shadow Copies (provided the ransomware has not deleted them), but for that you may need help from a computer specialist. Either way, the bottom line is that Cerber Ransomware is an extremely dangerous infection that wants to rip you off, and if you do not remove this ransomware Trojan from your PC, you can face even more serious computer security issues.

In the case manual removal seems too complicated for you, we would recommend employing a licensed antispyware tool that would delete all the malicious files automatically. Consequently, a computer security program of your choice would protect your system from further infections in the future.

How to Remove Cerber Ransomware

Delete Points of Execution

1. Press Win+R and type regedit. Click OK.
2. Go to HKEY_CURRENT_USER\Control Panel\Desktop.
3. Delete the value SCRNSAVE.EXE with the value data %AppData%\{RANDOM CLSID}\*.exe.
4. Go to HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun.
5. Delete a random value with the value data %AppData%\{RANDOM CLSID}\*.exe.
6. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.
7. Delete a random value with the value data %AppData%\{RANDOM CLSID}\*.exe.
8. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
9. Delete a random value with the value data %AppData%\{RANDOM CLSID}\*.exe.
10. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
11. Delete a random value with the value data %AppData%\{RANDOM CLSID}\*.exe.

N.B.: * in *.exe refers to a random file name.

Delete Files

1. Press Win+R and enter %ALLUSERSPROFILE%\Start Menu\Programs\.
2. Click OK and delete a random name file with the .lnk extension.
3. Repeat steps 1 and 2 with the following locations:
   %APPDATA%\Microsoft\Windows\Start Menu\Programs\
   %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
4. Press Win+R once more and type in %AppData%.
5. Locate a random Class ID and delete the folder together with the .exe file.