Find out why Cerber is considered an offbeat ransomware infection and what measures can be adopted to restore encrypted files with the .cerber extension.
The tactic of taking something important hostage and then making demands of a buyout isn’t restricted to the physical world only. Computer criminals have been heavily using this exact principle to make money. The entities at stake in the cyber scenario are files stored on infected workstations. The malicious code dubbed “ransomware” is furtively served to systems, where it locates and encrypts the most important data, displays files with the terms of recovery, and waits for the victim to cough up a specified amount of money. Cerber is one of the hundreds of these pests circulating on the open Internet at this point, but its characteristics aren’t standard.
There is a negligible probability of targeted users detecting the Cerber ransomware when it’s infiltrating computers. As opposed to the more apparent trespassing methodology, such as through drive-by downloads, the propagation of this strain relies on exploit kits like the one called Magnitude. There are two main conditions for a successful compromise. First off, a vulnerable PC is one that has security vulnerabilities due to unpatched software like Java or Adobe Flash Player. Secondly, the user runs the risk of catching the virus loader when visiting a hacked website, which has scripts that reroute traffic to the exploit kit’s page. If these unfavorable requirements are met, the machine becomes infected without any obvious indicators of compromise.
Then, Cerber scours across all local drives, network shares and removable devices in search of valuable data. If it discovers that a file has a popular extension, such as .jpeg, .xlsx, .docx, .pdf and the like, it engages a complex crypto mechanism involving the AES-256 algorithm to deny the accessibility of this object. The files processed this way will also be renamed to incoherent strings of hexadecimal symbols followed by .cerber extension, for example wsfh5VhkSc.cerber.
The next phase of the breach is to notify the victim, in case they haven’t yet realized what a predicament they are in. To that end, the program deposits a combo of three files into each folder with enciphered items. These include # DECRYPT MY FILES #.txt, # DECRYPT MY FILES #.html, and # DECRYPT MY FILES #.vbs. The main message is as follows: “Your documents, photos, databases and other important files have been encrypted!” The VBS version is interesting, because it makes the computer play an audio alert when opened.
To decrypt the data, the victim has to submit 1.24 BTC to the perpetrators’ Bitcoins wallet mentioned in the Cerber Decryptor page, which is parked at a Tor (The Onion Router) gateway for anonymity purposes. There is a deadline for the payment – 7 days. After this time expires, the ransom will double and thus reach 2.48 BTC, or about 1,600 USD. Unfortunately, the Cerber encryption has not been cracked by experts, so the user has to either pay the ransom or try something else. The next part of this entry focuses on the applicable restoration methods.
Run security software to remove Cerber virus
Antimalware industry has got an efficient response to threats like Cerber ransomware, sometimes after the fact, though. A combination of signature-based detection and heuristics built into the recommended security tool can accurately identify the plague so that removal becomes a simple, one-click experience. Be advised, however, that this action alone will not get your files decrypted.
Download and install Cerber virus remover. Once the tool is running, click Start Computer Scan.
- Upon completion of the scan, the program will display a list of harmful items that were detected. Select the Fix Threats feature in order to have the ransom trojan automatically removed.
Avenues of restoring .cerber files
If your data is backed up to an offsite vault, such as an external piece of hardware or secure cloud storage, then you are minutes away from recovery. Just make sure you obliterate the crypto virus before downloading unaffected copies of your files. This is undoubtedly the most advantageous scenario.
The methods below apply to the incidents where no backup is in place. They don’t involve decryption proper. However, each one poses a workaround to unscramble the data that the operating system may have backed up before the attack took place. Most samples of crypto ransomware are programmed to disable the appropriate emergency mechanisms built into the OS, but some strains are reportedly unsuccessful in doing so. One way or another, the following techniques are definitely worthwhile.
Plan A: Harness 'Shadow Copies' of your files
The Windows feature called VSS, which stands for Volume Shadow Copy Service, makes snapshots of all data files at specified points in time, which typically correspond to System Restore events and important updates. The Cerber virus has got a response for VSS based troubleshooting on the victims’ end, attempting to disable this module after contaminating a PC. However, it doesn’t always succeed in this.
Here is what you need to do to find out if this method can be of use in your case. Download and install Shadow Explorer, a lightweight and intuitive app tasked with administering reserve copies of all files stored on mapped drives. Select a folder or file, right-click on it with your mouse, select Export and define the path to which the object will be restored.
Plan B: Let data recovery software do its job
Specially crafted recovery tools pursue the goal of reinstating accidentally deleted files or information that vanished because of critical hardware or software errors. Their application domain covers some instances of ransomware attacks as well. Under the circumstances, consider installing an effective suite called Stellar Data Recovery, run a scan to find out what fragments of data can be restored, and chance your arm rescuing them.
Don’t underestimate ransomware
Having adopted the entirety of measures in a bid to get the encoded files back, consider rescanning your machine to make sure the crypto ransomware is no longer inside. There may be a relapse in case the cleanup hasn’t been thorough, so spare a minute or two double-checking.