Severity scale:  

Cerber virus. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - -   Also known as Cerber Ransomware | Type: Ransomware

Cerber virus wreaks havoc in South Korea with a location-based malware variant

Cerber red

Cerber is a dangerous file-encrypting virus that locks users file using strong encryption algorithm[1]. Malware has been updated several times and currently can append .cerber, .cerber2, .cerber3, .af47, .a48f, .[random characters] file extensions to each of the targeted files. Once it's done, malware drops a ransom note where victims are told to pay the ransom in order to get back their files.

The ransomware changed the name of the ransom note several times – different versions of this crypto-malware were spotted using such names for the ransom notes: # DECRYPT MY FILES #.txt, # DECRYPT MY FILES #.html, # HELP DECRYPT#.html, _READ_THIS_FILE.hta, *HELP_HELP_HELP[random characters]*.hta, _R_E_A_D___T_H_I_S___[random]_.txt or _R_E_A_D___T_H_I_S___[random]_.hta.

Like any other file-encrypting virus, a user might encounter it via malicious spam emails that carry a deceptive .ZIP, .DOCM, .PDF, or .JS file. An interesting detail about Cerber ransomware is that it will not attack your computer if you live in one of these countries – Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. On July, researchers also noticed a massive malvertising campaign attacking people in South Korea. Unfortunately, if none of these is your country of current residence, this virus may potentially hit your computer.

It sets itself to run automatically on the next computer startup. Once the computer becomes active, ransomware starts sending random error messages and then reboots your computer into Safe Mode with Networking. Unfortunately, the virus then restarts your computer again, this time in a normal regime, and starts the encryption process. The latest its version has received a huge update – now it uses red color for the ransom note used to warn the victim about the encrypted data.

Questions about Cerber virus

Once the encryption process is finished, Cerber ransomware drops ransom notes in each folder that stores infected files. These notes are named as DECRYPT MY FILES. The file extension may vary, it can be a .html, .txt, or .vbs file. The .vbs file will also play a sound message, which says:

Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!

The ransom note explains what happened to your computer and provides instructions how to retrieve your files. Shortly said, virus developers ask you to download Tor browser[2] to access the website where you can pay the ransom anonymously. It demands the victim to pay 1.25 BitCoins, which is approximately $512 USD. It also threatens that the ransom will be doubled if the victim does not pay within seven days. If the ransom is paid, this ransomware should supposedly provide a unique download link to get a Cerber decryption tool. Otherwise, there is no way to decrypt files for free. 

UPDATE July 2017: Security experts report that Cerber keeps expanding and looking for new monetization methods. Recently, a massive attack hit South Korea.[3] Other Asian countries have also suffered from the ransomware. Researchers note that criminals have been spreading malware in this region for a few months with the help of Magnitude exploit kit.

Ransomware spread with the help of malvertising. When a user visits a malicious website, the malware checks few details about the users in order to decide – to launch the attack or not. These “gates” are known as “Magnigate”[4] and check user’s IP address, ISP, and the information about operating system and web browser. In this way, Cerber virus can launch targeted attacks and avoid infiltrating random computers.

In order to boost their incomes, developers of the Cerber ransomware created a new variant that is capable of stealing Bitcoin wallet data.[5] After the infiltration, it steals passwords stored in the Internet Explorer, Google Chrome, and Mozilla Firefox web browsers. Once it’s done, it becomes easier to obtain information from Bitcoin wallets.

The virus looks up for free files that belong to the different Bitcoin wallet apps:

  • wallet.dat used by Bitcoin Core wallet;
  • *.wallet used by Multibit wallet app;
  • electrum.dat used by Electrum wallet app.

Another proof that Cerber continues growing and expanding is a recent collaboration with developers of Kovter Trojan. This cyber infection is known since 2013 as click-fraud malware. Both malicious programs were noticed spreading with spam emails that delivered fake notifications from parcel delivery services, such as FedEx, USPS, and UPS.[6]

Therefore, once victims are tricked into opening an obfuscated file, they download two instead of one cyber infection. As a result, victims can not only get their files encrypted but also lose personal information, such as login details.

UPDATE June 2017: Cerber malware emerges again and uses a different ransom note this time. The virus encrypts even more files and drops a ransom note called _R_E_A_D___T_H_I_S___[random]_.txt or _R_E_A_D___T_H_I_S___[random]_.hta. The ransom note starts with a different line than the rest of Cerber ransom notes – it says “Hi, I'am CERBER RANSOMWARE 😉.” The virus asks for half a Bitcoin (around $1195) and increases this price to 1 BTC in 5 days.

The ransomware is still actively promoted via Blank Slate spam campaign that sends out thousands of emails to victims. These emails carry a ZIP in a ZIP file, and once these two archives get extracted, a [random digits].js file gets dropped on the system. If the victim opens it, the script inside of it connects to a remote server and downloads ransomware from it.

UPDATE April 2017: In April 2017, researchers identified new mutations in the distribution of this virus. This time, people behind Cerber project targeted vulnerabilities in Apache Struts 2 on Windows servers. To begin with, Apache Struts is a free and open-source framework for creating Java web applications. It turns out that malware distributors have been attacking systems running programs created with Apache Struts and setting up backdoors, enrolling devices into DDoS bot network, placing cryptocurrency miners and of course, malicious viruses like ransomware on compromised machines.

The vulnerability in Apache Struts software allowed criminals to target servers instead of individual computers, providing them with chances to reach potential victims that surely have money and most likely are willing to pay up just to get the control of the data back.

The attackers used an exploit code that allowed them to run shell commands and launch BITSAdmin utility, and finally download Cerber ransomware from a remote server. Now, researchers have discovered that this particular piece of ransomware modifies Windows Firewall rules and prevents communication from installed antivirus to the world, making it impossible to install antivirus updates or sending reports to the developer. According to researchers, the Bitcoin wallet address used by this version of the infamous ransomware remains the same. 

While the discussion about Cerber has tied down, users might have let their guard down convinced that the malware has faded into oblivion. Such thinking might be perilous, as the hackers are yet to strike again. Recently specialists have detected this menace hidden in Dropbox files. While in the case of ordinary spam messages, a user still needs to extract the attachment in order for to activate the infection.

The developers found a workaround to this feature and spread this crypto-malware via self-extracting Dropbox files. Luckily, they still need to be “clicked” in order to inflict damage. There is another wave of this malware coming: TrendMicro virus report reveals multiple new versions of the threat: Ransom_Cerber.R000C0DD517, Ransom_Zerber.R08NH0CD317, etc. The report also reveals that the latest version is also able to avoid machine learning detection by security applications[7]. Continuous re-loading of the executable files prevents detection. However, specialists reassure that multilayer security software is still a proper solution when dealing with Cerber.  

UPDATE February 2017: In the beginning of February, security experts noticed a new version of Cerber ransomware – Help_Help_Help ransomware. It seems that it still uses Nemucod downloader for spreading around. However, the crooks have also started employing RIG exploit kit to enhance the infection rates. Beware of false emails which can alert you to review the attached invoice or document in order not to get charged with immense billing.

The current samples of the malware lurk in the doc file with the embedded macros. Luckily, it is not difficult to look through the felony. Usually, the name of the sender does not match the one given in credentials. Such email would have typo and grammar mistakes as well. The ransom notes which are presented by this malware are named as _HELP_HELP_HELP_%random%.hta and _HELP_HELP_HELP_%random%.jpg. The most surprising news is that, in the latest versions, its creators decided to stop encrypting files of security programs. The version which is found by TrendMicro as RANSOM_CERBER.F117AK[8] avoids firewalls, antivirus software or antispyware products. 

UPDATE January 2017: New year have already brought us new changes in Cerber ransomware. After making the latest researches on this malware, experts discovered that it turned red. In fact, red color has shown up in the ransom note of this ransomware that warns its victims about the encryption of their files and a need to pay the ransom in exchange for the malicious decryptor. Besides, this crypto-virus tends to use .ba99 file extension which is appended to every victim's file. Four random characters can also be appended.

Fortunately, this malware fails to remove Shadow Volume Copies of these files that it encrypts, what should help users recover their data with the help of Shadow Explorer and similar tools. This version has already been named as Red Cerber, Updated Red Cerber 2017 and Red Cerber 2017. Of course, after discovering such concerning news, we predict that this virus will stay at its peak this year just like it did the last year.

What is more, cyber criminals begin the new year with new Cerber distribution tricks. Although they are still delivering massive loads of the virus' examples via email, now they appear to be using IP addresses that belong to Amazon Web Services, or shortly AWS.

These malicious emails reportedly contain no subject line and no message, simply an attachment. The attachment is a ZIP file with a Word document in it, which contains a Macros script that downloads the ransomware as soon as the victim enables Macros function in Word. Zip archives, as well as Word documents, are named with a random set of digits. Here are some of the malicious email addresses that criminals are using to deliver Cerber right now: vroak[@], clayton.lively[@], kasserer[@], rbrown[@], and more. 

UPDATE December 2016: The virus is still actively distributed. According to a report from Microsoft, Cerber ransomware is rapidly proliferating with a help of an email spam campaign, which delivers password-protected .zip archives. Typical email subject lines contain words like “Howdy,” “Hi” or “Hello,” and a very short message asking to view contents of the attached file, and providing a password to the attachment. Once extracted, files inside this archive activate malicious macro scripts that download Donoff Trojan downloader, which downloads the ransomware to the computer system.

In addition, it is still actively distributed via RIG exploit kit. The victim only needs to enter a site that hosts an exploit kit to allow it to exploit security vulnerabilities in the system and download the ransomware without user's consent. The virus has also been noticed proliferating its copies via compromised websites that host Nemucod virus. These sites can easily redirect the victim to Pseudo Darkleech, which strongly obfuscates the infection when Nemucod drops Cerber on victim's computer system.

Speaking of the virus' code, we must point out that the Cerber has changed the font background color from bright green to red. On top of that, the latest version of the virus doesn't touch Volume Shadow copies[9], which basically are a door to data recovery. With tools like ShadowExplorer you can restore at least part of data encrypted by this ransomware virus!

UPDATE November 2016: The crypto-ransomware is now actively attacking companies and their computer networks. Interestingly enough, in addition to the Cerber encryption, the virus developers threaten with malicious DDoS attacks that will supposedly disturb the network and the overall operation of the company. The hackers begin by sending the companies a threat email in which they warn about the upcoming attack and demand to pay a set amount of ransom until the given deadline. After that, the sum is said to increase. An example of this note can be seen below.

UPDATE October 2016: Entering the new month, the masterminds of this virus do not intend to let the community take a break as they introduced new menacing features. Taking into account Cerber's current rampage in the virtual arena, the update empowers the threat even more.

Virus researchers have revealed that now it appends the extension comprised of 4 random numbers and characters. Moreover, the demands are presented in a .hta file rather than in .html or .txt. Furthermore, the virus shuts down certain database processes in the operating system in order for the encryption process to be complete. Luckily, these observations might be helpful for grasping the operation of the new version. 

UPDATE September 2016: There were two different versions presented by the owners of ransomware virus in September 2016. The first of them is known as Cerber3 file extension virus. As you must have already understood, it received such name according to the file extension appended by it to each of the target files. This new version of Cerber ransomware has also been considered to be more malicious and destructive as the hackers had plenty of time to fix the bugs found in the previous two versions. The second version of this ransomware was found by security researchers in the middle of September. According to their report, Ammyy Admin web page was found to be infected[10] with the malicious file used to distribute the crypto-malware.

It was also suspected that the website dispersed the virus for several days, approximately from the 13th to 15th of September. The binary, which was entitled as an encrypted.exe, was placed in AA_v3.exe. Previously, this domain was assaulted by other highly damaging malware in the future. At the moment, the website is fully restored and safe for public use. 

UPDATE August 2016: Malware researchers have managed to find flaws in ransomware project and managed to launch a site that allowed victims to decrypt .cerber and .cerber2 files for free. Although authors of this site do not provide any information on how did they manage to defeat the ransomware, some security experts had guessed that they have managed to find out what the Master Decryption Key is. It appears that this was not true, and most likely they have found a flaw in virus C&C server. Reportedly, hundreds of victims who followed news about the virus managed to decrypt their precious files for free.

Sadly, organized criminals quickly found the flaw and patched it, so as a result, it is no longer possible to decrypt files using this decryption service anymore. What is more, Cerber's payment site has been improved by adding Captcha system, which helps to avoid automated attempts to access the site. It seems that this gang is well-organized and determined to keep this virus undefeatable, which is a horrifying fact. Therefore, computer users are advised to take precautions, create data backups and protect computers with proper anti-virus solution to prevent ransomware attack, because, at the moment, there is no way to recover encrypted data using decryption tools.

No ways to recover files locked by the infamous virus

Unfortunately, it is impossible to decrypt the files locked by Cerber ransomware without paying the ransom. However, it is not recommended to pay up[11] because:

  • It only encourages the cyber criminals to continue their fraudulent activities and create more computer viruses;
  • Plus, bear in mind that there is NO guarantee cyber criminals are actually going to help you to recover your files;
  • You may not receive the decryptor at all, even if you pay up.
  • Also, this tool may be corrupted, bring other malware on your computer and this way, damage it even more.

Therefore, you should not collaborate with the cyber criminals on any level, because their main intention is to make money, and they will do their best to make their efforts to pay off.

Deleting the virus from your computer will not help to eliminate the cipher from the files. Trying to recover your files using hacker-suggested Cyber decryptor tool is not safe either. The best decision is to turn to some more reliable ways to recover your data. The quickest and the safest way to achieve that is by importing your data from a backup device.

We strongly recommend you NOT to keep the copies of your data on online storage clouds, because some viruses can access them via your Internet connection and corrupt them, too. It is best to keep your files stored on some external drive and update it regularly[12]. But there are risks here too.

If the external drive is plugged into the computer at the time of the virus infiltration, the files in the storage will most likely be encrypted too. So, make sure that you unplug the external storage device from your computer every time you backup some files. If you do not have a backup, you might want to try these decryption tools – Photorec, Kaspersky virus-fighting utilities or R-Studio

Keep in mind that you must eliminate the Cerber virus from your device completely before you attempt to recover your files in either of the ways mentioned above. You can do that using anti-malware software like Reimage.

The chronology of Cerber ransomware updates:

Cerber Decryptor. This tool is offered by Cerber's authors, who advertise it as a program that supposedly can recover encrypted data for the victim. This might not be true because you can never rely on cyber criminals' words. This piece of malware can be bought in Bitcoins, but there is no information whether it decrypts files or not.

Even if it does, remember that criminals can send it to you in a bundle with malicious files or Trojans, which can cause further security problems to you. Malware researchers always suggest not to rely on cyber criminals and decryption services that they offer. Besides, paying the ransom would fund further projects of malware creators, so you may want to think twice before you reach out for your credit card.

Cerber2 ransomware. As the name of the virus suggests, this is the second version of Cyber virus. It was released in August 2016, and it seems to be distributed via drive-by downloads, malvertising, and malicious email campaigns. This virus locks the data using nearly unbreakable encryption algorithm and adds .cerber2 file extension to them.

Once encrypted, files cannot be accessed in any way without having the decryption key. Of course, you can get the decryption key, but crooks ask to pay money for it, in other words, you need to pay a ransom to get your files back. It is strongly recommended not to pay the ransom as Cerber2 decryption tool might have flaws and not decrypt the data entirely. Just like other ransomware decryptors offered by authors, this one can be supplemented with harmful additional files as well. Security experts recommend removing v2 as soon as the victim notices that the computer has been compromised by it and retrieve lost data from backups.

Cerber3 ransomware. The new version proves to be more powerful than ever before. Now the ransomware appends .cerber3 extension to the encrypted data. There are also changes regarding its ransom note. While previously it demanded the ransom in a # DECRYPT MY FILES #.txt or the # DECRYPT MY FILES #.html file, now the recovery instructions are presented in # HELP DECRYPT #.html.

The current update reveals that the malware shifts from appending a 4-digit random extension. Throughout its existence, the malware has already wheedled out stunning amounts of money. That is why we do not suggest transferring the money. There are no guarantees for recovering the data from the hackers. Lastly, the threat spreads via the same channels: spam emails and infected advertisements and links. 

Cerber v4.0 is the latest and probably the most vicious of all ransomware versions. This virus does not use previously-used extensions anymore. It has improved its encryption algorithm and now displays extensions consisting of a jumble of different numbers instead.

Besides, according to the virus creators, this new version of the virus is much more resistant to antivirus detection and manages to disguise its activity on the computer until all of the files are encrypted. Talking about files, it has been found that Cerber v4.0 is now capable of encrypting even more file types which only proves that ransomware developers are not hanging around and are ready to exploit as many users as possible.

For this purpose, they have also released the RaaS version of Cerber ransomware which can be obtained on the dark web. Currently, experts count three main distributors of this malware, but it is very likely that more cyber crime enthusiasts will join in.

Cerber 4.1.0 ransomware. This ransomware version differs from the previous versions mainly due to appended extension. While previously, .cerber2 and .cerber3 extensions were the trademark signs of the versions, now the virus leaves 4-digit extension or adds no extension at all.

Another major improvement lies in the distribution. PseudoDarkleech Rig exploit kit helps transfer the malware. On the other hand, such discovery will help the virus researchers to publish the decryption key and issue prevention measures sooner. The improved version also sends the request of a specific HTTP. It results in retrieving JSON file which contains payment instructions. It links to 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt bitcoin address. Though there are more technical details revealed, it still makes Cerber a terrifying cyber infection.

Cerber 4.1.1 version comes in the “bonus” package along with 4.1.0 version. Since it is little known about exceptional features of this edition, there are many speculations about its capabilities. It is likely to spread via the same exploit kit as 4.1.0 version. Virus researchers have noticed that Cerber has changed its IP address again. Such strategic move makes the tracking of the infection source more complex.

In order to generate 4-digit code, the ransomware employs a complicated registry segment called “MachineGun”. It is an integral part of the entire HKLM\Software\Microsoft\Cryptography key. Taking into account, these peculiarities complicate the elimination of the threat. That is why a proper security application is a necessity. Similar infections await for victims in file sharing networks or other questionable domains. It is unwise to consider remitting the payment as several versions of the malware have already gained millions of dollar profit and the developers are unlikely to send the decrypter.

Cerber 4.1.4 virus has shown up right after the appearance of 4.1.1 version, and these viruses are very similar. They both encrypt files using same methods, corrupt the original filename and append a customized four-character extension instead of the original one. Ransomware roots deeply into the system, adds registry keys, alters values, drops its components to the %TEMP% folder and other locations across the entire computer system to make it harder to remove.

Each component is extremely dangerous, and it is a must to remove them all at once to ensure a successful Cerber 4.1.4 removal. This virus strongly encrypts personal data without any shame and demands a ransom in exchange for Decryptor. No matter how hard malware analysts try, they cannot break this virus' obfuscation layers and find out what algorithm is used to generate unique encryption/decryption keys for the victim. Sadly, files encrypted by this version cannot be recovered with any decryption tools.

Cerber 4.1.5 ransomware has appeared at the beginning of November 2016, and successfully infected hundreds of computers already. This version copies techniques used in the past, and hardly differs from previous versions. Encrypted files become unrecognizable because virus scrambles their filenames; however, the virus creates unique file extension for each victim and appends it to encrypted records. It leaves a ransom-demanding message in README.hta file, which points to personal payment websites.

The victim is asked to pay 0.6967 BTC, which equals to $500, or more if he/she fails to pay up in the given term. Cerber 4.1.5 reportedly spreads with the help of notorious Neutrino and RIG exploit kits, malvertising, and of course malware-laden emails. You can protect your PC from this ransomware by stockpiling data backups and installing a trustworthy anti-malware software.

Cerber 4.1.6 ransomware has emerged at the end of November 2016, more or less after a month after the appearance of the 5th edition of the fourth ransomware version. This modification of the virus has no outstanding improvements and functions just like its former versions do. The virus merges RSA and RC4 encryption algorithms to create an uncrackable cipher that renders personal files, documents, databases and other important files useless.

The ransom price is 501$, and criminals command the victim to transmit this sum of money via Bitcoin system within five days; otherwise, they increase the ransom price. This sequel to the infamous project is just as dangerous as its predecessors, and it also connects every compromised PC into a botnet to carry out DDoS attacks. Victims of the 4.1.6 version should remove virus as soon as possible and perform several system scans to thoroughly analyze the computer and remove all malicious files and ransomware remains. 

Cerber 5.0.1 ransomware was quickly launched to back up the previous infections. It keeps encrypting files with RSA-2048 and AES-256 algorithms. That is why users, entrapped by Cerber, might comply with the hackers' demands to retrieve the files. Needless to say, it is not recommended to transmit the money as there are few guarantees of getting it back. This version has been spreading as a fake email warning with huge billing sums.

The virus urges a victim to open the attachment which would activate a VBA script. Afterward, it will execute the .exe file which downloads the main file of the infection. It also disguises its processes in Task Manager to lower the risk for users to spot ominous command. Do not waste and eliminate the threat before it causes more severe outcomes.

Red Cerber ransomware. This version has been detected on the eve of 2017. In comparison to previous variations, the gearheads introduce several changes in the overall design and operation peculiarities. One of the key modifications was the disabled command to delete shadow volume copies. Likewise, it gives hope for its victims to recover the encrypted files.

What is more, it employs additional tools for delivering a blow to a virtual community. Along with spam emails, RIG and Nemucod exploit kit are also employed to increase the number of victimized systems. Compromised and corrupted domains also serve for spreading this virus. Keep in mind that the corrupted version of Adobe Flash Player also might disguise Red Cerber malware.

There are also a few modifications concerning encryptable file formats. Its developers add 50 file extensions which the virus aims to encode. However, a few, mainly system executable files, such as .exe and .bat, were excluded from the list.

Help_help_help ransomware virus. After taking a short break during the holidays, the cyber villains introduced the modified version of Red Cerber. The key changes include the introduction of the demands in the *help_help_help[random characters]*.hta file.

The penetrators also added improved Nemucod exploit kit. Needless to say that such improvements only elaborated the infection even more. The key astonishing feature of the malware lies in the execution process. Nemucod exploit kit delivers cer.jpg file into your system. After its sets foot on the operating system, it performs a metamorphosis: the file changes into .exe file.

Consequently, it becomes only a matter of seconds when help_help_help virus completes its hijack. There are also reports that Cerber has been spotted in the dark web as RaaS (ransomware-as-a-service). In short, these modifications remind a common truth – update all your programs and stay vigilant.

Cerber 6 ransomware virus. While a while has passed since the last version of Cerber, the developers used this time to improve and craft this crypto-malware to a new level. The latest version, 6th installment, presents improved anti-sandboxing and anti-VM features. In other words, it is able to avoid detection in virtual machines which complicates the developing counterattack strategies. It is also known to use to use SFX files, i.e. self-extracting files.

In response to wider public awareness about the distribution of this malware, the felons look for ways how to execute the malware with minimal users' interference. The use of multiple and diverse hacking techniques explains why Cerber remains the biggest cyber issue. Besides disguising in spam emails, it also employs exploit kits, trojans and bugs in well-known program utilities to multiple its damage on the virtual community. At the moment, there is no decryption software released for this version. However, some of our recommended options in the end of the article might be effective.

Magniber ransomware virus. This version of crypto-ransomware has been spotted by Michael Gillespie on October 14, 2017. It can be recognized from .ihsdj or kgpvwnr extensions which it adds to encrypted records. The virus was initially called My Decryptor ransomware. Later on, a group of security researchers spotted a massive malvertising attack closely related to Magnitude exploit kit which  filters victims based on their geolocation and language used in the computer. The exploit kit targets CVE-2016-0189 vulnerability in Internet Explorer and if the target meets the requirements, infects the system with Magniber virus.

The name of the ransomware derives from Magnitude + Cerber. The malicious virus is surprisingly similar to the latest Cerber malware variants. However, technical similarities are not the only thing that makes security researchers wonder about the origins of Magniber. It appears that Cerber's activity has slowed down during October, which gives base for thinking that cybercriminals were creating a new and possibly more dangerous ransomware variant.

The malicious software appears to be targeting people from South Korea only. Of course, this location-based ransomware variant can turn to other world countries at any time, so we strongly advise you to protect your computer and create a data backup. This ransomware encrypts files only to demand a ransom via My Decryptor page (accessible via Tor browser) and demands 0.2 Bitcoin ($1100). If the victim decides not to pay, the ransom price increases to 0.4 Bitcoin after 5 days.

Close look at Cerber ransomware distribution

Reportedly, malware permits other cyber criminals to join its affiliate network and allows them to distribute this virus however they want. The original developers of Cerber take part of the profit and allow the affiliates to keep the rest of it. Be aware that cyber criminals mostly distribute this virus via spam emails, so make sure you do not open any suspicious emails[13] that come from unknown senders. Even though most of such malicious correspondence[14] on up on “Spam” catalog, there is no guarantee that a virus-carrying email will not slip to your regular Inbox as well.

So, you should be particularly careful about opening any attachments that come from unknown sources and are accompanied by suspicious emails. Often the cyber criminals will pose as representatives of governmental or law enforcement institutions, so it is recommended that you always check the legitimacy of such emails if you receive any. Cerber ransomware virus can also enter your computer with a help of Trojans[15].

Therefore, you should avoid untrustworthy download websites because you might download an infected file that has this malicious virus carrier attached to it. Needless to mention, you should avoid visiting high-risk web pages and interacting with the pop-ups and other notifications you may encounter there. The latest ransomware distribution campaign targets vulnerabilities in legitimate software and uses them to push the ransomware into target computers. The only way to protect your PC from being infected is to keep an anti-malware software running at all times.

According to PC experts, misleading emails pushing users to pay the ransoms to prevent infiltration of Cerber have also been detected. Stay away from such email messages and do NOT even think about making these fines! You need to take care of your company's safety instead. Make sure you let your employers know about such attacks and install reliable security software.

Spam used to extore the money

Cerber virus removal instructions

There is no doubt that Cerber ransomware is one of the most dangerous computer viruses of today. Computer experts are still working to create a decryption tool to help its victims decrypt their files, but, at the time of writing, there is only one legitimate decrypter that should be tried to recover the encrypted files without paying the ransom. It is provided in the “Recover your data” section. Besides, if you are infected and cannot open your files, we suggest you to follow optional recovery solutions created by our tech experts.

However, before you try them, make sure you remove Cerber virus as soon as possible. Don't forget that it is a dangerous and well-structured computer threat, so you should opt for a professional malware removal tool to eliminate the ransomware from a victimized computer fully. If the removal procedure did not go as smooth as you expected, you can try the instructions provided below. Once you unblock your virus remover, try scanning your computer again.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Cerber virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Cerber virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage
Cerber virus snapshot
Cerber ransomware

Manual Cerber virus Removal Guide:

Remove Cerber using Safe Mode with Networking

If you can't launch your anti-spyware to remove Cerber's files, you need to launch your computer to Safe Mode with networking first. You can go to this mode with the help of the following guide.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Cerber

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Cerber removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Cerber using System Restore

If launching to Safe Mode with Networking didn't help you, you can also try System Restore to disable Cerber. For that, use a guide given below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cerber. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Cerber removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cerber from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files were locked by Cerber, it is unlikely that you will be able to use them again, unless you have a data backup. Sadly, the majority of people do not realize how important data backups are. For this reason, we recommend you to create data backups as frequently as you can. If you have it, you can import your files from it right after removing the ransomware from the system. Otherwise, try some of these techniques – they might help you to recover at least some files.

If your files are encrypted by Cerber, you can use several methods to restore them:

Will Data Recovery Pro help recover files encrypted by Cerber?

Since this cyber threat keeps evolving at an alarming speed, virus researchers are working on the decryption tools for the latest versions. The original version appeared in the beginning of the year and until now has tripled. The IT experts have managed to generate a decryption key for the original variant. However, if you do not have the decryption key suitable for your virus variation, Data Recovery Pro might help you recover some of your files.

Using Windows Previous Versions feature to restore files encrypted by Cerber virus

This option enables you to revert your operating system to a previous state. Though this diversion might not be an effective way to escape the menace of the virus, but it will grant you time to copy your files before they get corrupted by the ransomware. However, you can try this method only if System Restore function has been enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

How useful is ShadowExplorer when trying to recover encrypted files?

If Cerber ransomware failed to delete Shadow Volume Copies of your files, you should try Shadow Explorer to restore the encrypted data. The latest versions of this crypto-malware do not remove these copies, so you should definitely try Shadow Explorer. To use it properly, you need to install this tool on your computer and follow the guide given below:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Using Cerber Decryptor to recover encrypted files

If you have been thinking about paying the ransom to virus owners and purchasing Cerber Decryptor to recover your files, you should stop thinking about that. This tool is illegal and it provides no guarantee that it can or will decrypt your encrypted files.

There is only one LEGITIMATE decrypter, presented by TrendMicro support, that has saved several hundreds of the victims. It is available here. The decryption tool is capable to decrypt files locked by Cerber version that replaces the original filename with 10 random characters and adds .cerber file extension to it.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cerber and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions


Removal guides in other languages