Cerber ransomware removal and file restoration

Learn all the applicable methods to get around the data locking effect due to Cerber ransomware attack, and get a complete profile of this dangerous virus.

What is Cerber ransomware?

Online extortionists’ creativity seems to be infinite as they keep coming up with bizarre names of their crypto infections. Let’s take a look at the Cerber strain, whose denomination is reminiscent of the famous monstrous creature from the Greek mythology. It’s difficult to derive any obvious ties between the two, perhaps the only thing that springs to mind is the menacing implication of both. The cyber counterpart is extremely harmful, indeed, so coming across it isn’t a favorable scenario for sure. It finds all bits and pieces of the most important data that’s on your computer, and it encrypts them with an unbreakable cryptosystem. Ultimately, all data files on the fixed drives, connected external media, and network shares – both mapped and unmapped – become unavailable to view, copy or edit. Every tweaked file is appended with .cerber extension, and filenames become entirely indiscernible.

# DECRYPT MY FILES # ransom instructions
# DECRYPT MY FILES # ransom instructions

Typically, Cerber arrives with spam. The phishing messages sent to thousands of people daily are disguised as official documents, including invoices, package delivery reports, traffic offense notifications, CVs, etc. These messages usually carry ZIP files as the attachments. When such a booby-trapped archive is opened out of curiosity or for some other reason, the obfuscated JavaScript loader injects the ransomware into the system silently enough for the user to miss it happening. The bad executable ends up in the AppData directory, which may be a preventive measure to evade detection by AVs that mostly look out for malicious code in other paths.

Messed up files after the Cerber attack
Messed up files after the Cerber attack

This ransom Trojan uses AES, which stands for Advanced Encryption Standard, to skew its victims’ files. This is a symmetric crypto framework, where one uniquely generated key is leveraged for encrypting and decrypting the information. As opposed to some unsuccessful ransomware programs, the secret key is not integrated into Cerber’s binary, therefore it’s not possible to extract it and restore the hostage data. To provide a decryption mechanism, the infection expresses its demands in three files with similar contents. Their names are # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. The text in these entities goes, “Your documents, photos, databases and other important files have been encrypted!” The VBScript version even accommodates a text-to-speech feature, where the warning message sounds over the PC’s speakers.

To decrypt the locked data, victims have to pay 1.24 Bitcoins. Given the current BTC to USD rate, that’s $814. That’s how much the criminals think your data is worth. To be able to submit this ransom, the user needs to visit a Tor page titled “Cerber Decryptor”, where the appropriate Bitcoin address is provided. The page also contains a field where the decrypt solution will supposedly become available after the payment. This is a terrible thing – paying criminals for something that’s yours anyway. That’s a true plague that the current threat landscape produces. To avoid Cerber and the like, first and foremost be careful with suspicious email attachments. If the contamination has already taken place, take your time and try recovery techniques that don’t involve the funding of cybercrime.

Cerber virus removal

By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.

1. Download and install Cerber virus remover. Run the suite and click Start Computer Scan.


2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.

File recovery how-to’s

Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.

Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.

a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.

ShadowExplorer

The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.

Data Recovery Pro

b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.

Double-check for Cerber remnants

Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.

Leave a Reply

Your email address will not be published.


*