Cerber 4.1.1 ransomware / virus (Removal Guide) - updated Nov 2016

Cerber 4.1.1 virus Removal Guide

What is Cerber 4.1.1 ransomware virus?

Cerber 4.1.1 ransomware attack users. What is known about it?

Cerber 4.1.1 ransomware virus showed up on the same day as Cerber 4.1.0 ransomware. Each of these viruses belongs to an infamous family of malware called Cerber virus which has already been updated for several times. This group of ransomware viruses is still on top, so you must be very careful if you want to avoid it. What new features are presented in the latest, Cerber 4.1.1 virus? It seems that the main thing that changed is the customized wallpaper on victim’s desktop that informs about the encryption of specific files and a need to purchase the special decrypter for this version. Earlier versions of the virus could be recognized by file extensions added to encrypted data – they use .cerber, .cerber2 and .cerber3 extensions. If you can find them next to your files, make sure you remove Cerber 4.1.1 virus or similar version of ransomware from your computer. You can do that with the help of an up-to-date anti-malware program, such as FortectIntego.

As we have already mentioned, Cerber 4.1.1 ransomware is the latest version this infamous crypto-ransomware virus, and it works absolutely silently. Once executed, it starts digging for target files starting from deeper system directories. This way, the user cannot notice anything suspicious, because the only thing that might raise user’s suspicion is a slower computer’s performance during the encryption. During this process, it generates and appends certain file extension to encrypted files – personal records become marked with unique 4-symbol extension, for example, .dep3. Once 4.1.1 version encrypts all folders, it finishes the malicious procedure by encrypting files on the desktop, drops README.HTA file (the ransom note) on the desktop, plays a .vbs file that plays an audio message, and then changes the desktop background with an image that displays the following text:

Your documents, photos, databases and other important files have been encrypted by “Cerber ransomware 4.1.1”!
There is a list of temporary addresses to go on your personal page below:

The virus does not provide much information on the new desktop wallpaper, but it leaves URLs that lead to so-called “payment page,” where victims can learn how to purchase Bitcoins and then transfer them to criminals’ Bitcoin wallets. Same URLs and more information about the attack can be found in the .hta file. These URLs normally cannot be opened via regular web browsers and need to be launched via Tor browser. The ransom note provides detailed information on how to open these websites so that even inexperienced PC users can open them. Each of these URLs leads to a page that presents Cerber Decryptor. Just like previous versions of this ransomware, 4.1.1 version asks to select language, then complete a short confirm-you-are-human task and only then it reveals information on how to buy the decrypter. Surprisingly, it turns out that Cerber ransomware version 4.1.1 demands a lower ransom than its predecessors. It asks to pay 0.1188 Bitcoin (≈ $84) within 5 days of attack or 0.2376 Bitcoin (≈ $169) after 5 days.

Cerber 4.1.1 ransomware attack

It is not a secret that Cerber stands out of other ransomware projects because it is precisely programmed and designed to convince the victim to pay up. The ransom payment website has sections such as “FAQ,” “Support,” and also “Decrypt 1 File for FREE,” where victims can upload one encrypted file to test the decrypter and understand that it actually exists and works. If your computer has been infected with this malicious ransomware, we recommend you not to pay the ransom, although it is your decision whether to pay up or not. Please remember that cyber criminals keep creating new viruses as long as victims agree to pay the ransom – do not fuel up their motivation by following their commands. If you are still willing to pay up, you should know that only 20 percent of victims, who paid for the decryption service, received the code that they needed. In case of infection, make sure you perform Cerber 4.1.1 removal at first. Then, take care of your files by using Data Recovery steps given below.

How does this malicious virus enter victim’s PC?

According to the latest news, Cerber is delivered via pseudo-Darkleech campaign, which targets WordPress websites. If the victim enters a compromised website, he or she gets rerouted to the site that contains RIG exploit kit. The exploit kit explores vulnerabilities in victim’s computer (inspects outdated programs and takes advantage of the security gaps) and then silently installs malware into user’s computer. The attack is well-organized and can be completely incomprehensible to computer users that are not familiar with stratagems that advanced malware creators use. However, authors of this ransomware also use an old but still very efficient technique to infect computers – they send insidious emails that contain destructive attachments. Once the victim opens such attachment, the malicious file downloads the malware and begins the encryption procedure. Please stay clear of vague emails and do not let your curiosity win – do not open that shady email that claims you need to accept a payment of $500 that supposedly was sent to you recently via Paypal, and avoid shady invoices, documents, and other suspicious files that unknown individuals send to you via email. If you feel that the author of such letter urges you to open email attachments, better do not do it!

Cerber 4.1.1 removal procedure

Cerber 4.1.1 virus is a new ransomware, and it can be eliminated only with an updated antivirus or anti-malware software. Make sure you use an appropriate and powerful anti-malware software for this procedure because leaving malicious components on the system can damage your files without leaving you a chance to restore them. Besides, automatic Cerber 4.1.1 removal guarantees a full elimination of this malware, so it won’ show up on your computer after some time. Finally, we would like to add that you shouldn’t try to remove Cerber 4.1.1 ransomware manually because this task can be considered as an option only if you can call yourself tech savvy. Files encrypted by this virus can be restored from a backup, but if you do not have one, most likely there are no chances of recovering encrypted data. Nonetheless, we suggest you try data recovery options provided below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Cerber 4.1.1 virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Cerber 4.1.1 using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cerber 4.1.1. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Cerber 4.1.1 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cerber 4.1.1 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

 If your computer has been hit by Cerber v.4.1.1, you might start thinking whether to pay the ransom or not. First of all, paying motivates cyber criminals to continue evolving ransomware projects. Secondly, you can lose your money and receive no explanation, because there is no way you can force criminals to help you. Therefore, you should think twice before buying those Bitcoins.

If your files are encrypted by Cerber 4.1.1, you can use several methods to restore them:

Try Data Recovery Pro

Malware researchers are still working on Cerber 4.1.1 decryption tool – it is very hard to crack this ransomware and find out what its Master Key is. Therefore, we suggest you create a copy of encrypted data to have an unaffected data backup, and then try this method. Do not forget to remove Cerber 4.1.1 first!

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cerber 4.1.1 ransomware;
  • Restore them.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cerber 4.1.1 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages