Severity scale:  

Cerber 2.0 ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

Cerber ransomware virus version 2 has been released. What should you know about it?

Cerber2 virus virus is an updated version of Cerber ransomware. The authors of this ransomware project have decided to step up the ransomware game and create an even more complicated variant that would differentiate from other crypto-ransomware viruses and, of course, surpass them. The second version of the indicated virus cannot be decrypted with Cerber Decryptor anymore, as the flaws in the ransomware code were patched. This threat also has also been secured with a different packer to aggravate malware researchers’ work and prevent them from analyzing the virus.

Just like the previous version, the second version encrypts victim’s files and instead of adding .cerber file extension, it appends .cerber2 file extension to them. Another important fact is that this variant uses Microsoft API CryptGenRandom to create an encryption key, which is twice longer than the one that was used in the previous version of the virus – now the key weights 32 bytes. Our researcher has discovered that the virus has been programmed not to encrypt computers that have these languages set as default:

Armenian, Azerbaijani, Belarusian, Georgian, Kirghiz, Kazakh, Moldovian, Russian, Turkmen, Tadjik, Ukrainian, Uzbek.

If it detects that the computer user speaks one of these languages, it exterminates itself, in other words, implements Cerber 2.0 removal. Otherwise, it begins the encryption procedure. The virus is set not to encrypt default system folders and leave basic program unencrypted (such as basic Internet browsers, Flash Player, local settings, sample music, videos, pictures and similar default computer data). The rest of personal victims files get encrypted with a powerful encryption and become useless. It is impossible to manipulate these files anyhow unless the victim has a decryption key, which, unfortunately, has to be bought from cyber criminals who have created this virus.

Cerber 2.0 ransomware virus

The Cerber 2 virus creates # DECRYPT MY FILES #.txt and # DECRYPT MY FILES #.html files and leaves them on the computer, besides, it changes the wallpaper, and activates .vbs file, which speaks to the user, stating that all documents, photos, and databases have been encrypted. These files left by the virus can be called ransom notes; both .html and .txt files begin with such lines:

Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files’ names, as well as the data in your files, have been encrypted.

The rest of the text in ransom notes explains what happened and provides instructions on how to decrypt .cerber2 files. Traditionally, the victim is instructed to download Tor browser and pay the ransom in Bitcoins. No matter what, we advise you not to pay the ransom and remove Cerber 2.0 virus without any hesitation. By paying the ransom, you would support cyber criminals, who already live a wealthy lifestyle because of victim who pay them for decryption tools. To remove the virus, use anti-malware program, for instance, Reimage.

Distribution methods

Ransomware distribution methods vary, but the most popular ones are still these two:

  • Spam email campaigns;
  • Malvertising.

It is not a secret that crooks often send deceptive emails to computer users, pretending to be employees or representatives of well-known organizations or institutions. They commonly attach several attachments to the letter and kindly ask the victim to open them. Obviously, such attachments contain malicious attachments and can execute the virus immediately. The next malware distribution method – malvertising is an efficient technique for those cyber criminals who want users to click on malicious links and activate codes that can plant malware on victim’s computer. We strongly recommend you to stay away from ads that urge you to install updates, apps, or that try to threaten you by stating that your computer is severely infected. After clicking on such ad, you can end up downloading a malicious software bundle that contains a virus like ransomware.

How to remove Cerber 2.0 ransomware virus and decrypt files?

If you have become a victim of Cerber 2.0 ransomware virus, you should have seen statements in its ransom note, stating that you should not rely on antivirus companies and use their products as they cannot decrypt your files. Indeed, antivirus products cannot restore encrypted data, but they CAN protect your computer from malware attacks (if they have real-time protection feature). To remove this virus from your computer, we suggest using one of the tools that are provided below. We do not recommend you to try and decrypt your files using random decryption tools; you can corrupt your data this way. We suggest waiting until malware researchers discover a free Cerber 2.0 decryption tool so that you could recover your data safely. Of course, you can recover your files from backups; before you do that, you must complete Cerber 2.0 removal first.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Cerber 2.0 ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Cerber 2.0 ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Cerber 2.0 virus Removal Guide:

Remove Cerber 2.0 using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Cerber 2.0

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Cerber 2.0 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Cerber 2.0 using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cerber 2.0. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Cerber 2.0 removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cerber 2.0 and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages

  • jonhson

    files have .cerber2 extensions how do i open these files?

  • glassy

    Poor ransomware victims. I am glad that i have antimalware program. It has stopped several threats from infecting my computer system, thanks God!

  • Levina

    I cant believe crooks keep creating malware each day without being stopped. even worse, people pay ransoms to them. ridiculous and sad

  • HELP


    • Mirna

      No way…. I feel sorry for you, dude. Have you removed the virus yet? was that easy?