What is Cerber Ransomware?
Cerber is a nasty file-encrypting virus that locks users file using strong encryption algorithm. This Malware has been updated several times and currently can append .cerber, .cerber2, .cerber3, .af47, .a48f, .[random characters] file extensions to each of the targeted files. Once it finishes, this malware drops a ransom note where victims are asked to pay the ransom in order to get back their files.
# DECRYPT MY FILES #.txt, # DECRYPT MY FILES #.html, # HELP DECRYPT#.html, _READ_THIS_FILE.hta, *HELP_HELP_HELP[random characters]*.hta, _R_E_A_D___T_H_I_S___[random]_.txt or _R_E_A_D___T_H_I_S___[random]_.hta. The ransomware has undergone different name changes in the past for the ransom note.
An interesting detail about Cerber ransomware is that it will not attack your computer if you live in one of these countries – Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. Researchers noticed a massive maladvertising campaign by this ransomware which intended to attack people in South Korea. If the countried mentioned above do not feature in your resident country then this virus may potentially hit your computer too.
How does Cerber Ransomware work?
- On the next computer startup, it will set itself to run automatically.
- Once the computer becomes active, ransomware starts sending random error messages and then reboots your computer into Safe Mode with Networking.
- Unfortunately, the virus then restarts your computer again, this time in a normal regime, and starts the encryption process.
- The latest its version has received a huge update – now it uses red color for the ransom note used to warn the victim about the encrypted data.
- Once the encryption is done, Cerber ransomware drops ransom notes in each folder that stores infected files. These notes are named as DECRYPT MY FILES. The file extension may vary, it can be a .html, .txt, or .vbs file. The .vbs file will also play a sound message, which says:
The ransom note explains what happened to your computer and provides instructions how to retrieve your files. Shortly said, virus developers ask you to download Tor browser to access the website where you can pay the ransom anonymously. It demands the victim to pay 1.25 BitCoins, which is approximately $512 USD. It also threatens that the ransom will be doubled if the victim does not pay within seven days. If the ransom is paid, this ransomware should supposedly provide a unique download link to get a Cerber decryption tool. Otherwise, there is no way to decrypt files for free. Like any other file-encrypting virus, a user might encounter it via malicious spam emails that carry a deceptive .ZIP, .DOCM, .PDF, or .JS file
History of Cerber Ransomware?
This ransomware made its first appearance in March 2016 on Russian underground forums, on which it was offered for rent in an affiliate program. Since then, it has been spread massively via exploit kits, infecting users worldwide, mostly targeting APAC (Asia-Pacific) region. As of now, there are six major versions.
Most recent updates are from July 2017: Security experts report that Cerber keeps expanding and looking for new monetization methods. Recently, a massive attack hit South Korea. Many Asian countries have also suffered from this ransomware. Researchers obversed that cyber criminals have been spreading malware in this region for a few months with the help of Magnitude exploit kit.
The other method for this Ransomware to spread is with the help of malvertising. When a user visits a malicious website, the malware checks few details about the users in order to decide – to launch the attack or not. These “gates” are known as “Magnigate”which gives away the user’s IP address, ISP, and the information about operating system and web browser. In order to boost their revenue, creator of the Cerber ransomware created a new variant which is capable of stealing the Bitcoin wallet data. After the infiltration, it steals passwords stored in the Internet Explorer, Google Chrome, and Mozilla Firefox web browsers.
Researchers have unveiled that this particular ransomware modifies windows Firewall rules and prevents communication from installed antivirus to the world, making it impossible to install antivirus updates or sending reports to the developer. According to researchers, the Bitcoin wallet address is used by this version of the very infamous ransomware remains the same.
It is most likely impossible to decrypt the files locked by Cerber ransomware without paying the ransom. However, it is not recommended to pay up because:
- It only encourages the cyber criminals to continue their fraudulent activities and create more computer viruses;
- Plus, bear in mind that there is NO guarantee cyber criminals are actually going to help you to recover your files;
- You may not receive the decryptor at all, even if you pay up.
- Also, this tool to decrypt may be corrupted, and might bring other malware on your computer and this way, damage it even more.
The chronology of Cerber ransomware updates:
Cerber Decryptor:
This tool is mainly offered by Cerber's authors, who advertise it as a program that supposedly can recover encrypted data for the victim.
Cerber2 ransomware:
It was distributed via drive-by downloads, malvertising, and malicious email campaigns. This virus locks the data using nearly unbreakable encryption algorithm and adds .cerber2 file extension to them.
Cerber3 ransomware:
There was changes regarding its ransom note. Previously it used to demand the ransom in a # DECRYPT MY FILES #.txt or the # DECRYPT MY FILES #.html file, now the recovery instructions are presented in # HELP DECRYPT #.html.
Cerber v4.0
It has improved its encryption algorithm and now displays extensions consisting of a jumble of different numbers instead.
Cerber 4.1.0 ransomware:
Previous version of this ransomware cerber2 and. cerber3 extensions were the trademark signs of the versions, now the virus leaves 4-digit extension or adds no extension at all.
Cerber 4.1.1:
version comes in the “bonus” package along with 4.1.0 version. It is likely to spread via the same exploit kit as 4.1.0 version. Virus researchers have noticed that Cerber now has changed its IP address so the tracking of the infection source becomes more complex.
Cerber 4.1.4:
virus has shown up right after the appearance of 4.1.1 version, and these viruses are very similar. Cerber 4.1.1 and Cerber 4.1.4 encrypt the files using same methods, corrupt the original filename and append a customized four-character extension instead of the original one.
Cerber 4.1.5:
ransomware has appeared at the beginning of November 2016, and successfully infected hundreds of computers already. This version copies techniques used in the past, and hardly differs from previous versions. Encrypted files become unrecognizable because virus scrambles their filenames
Deleting the virus from your computer will not help to eliminate the cipher from the files. Trying to recover your files using hacker-suggested Cyber decryptor tool is not safe either. The best decision is to turn to some more reliable ways to recover your data. The quickest and the safest way to achieve that is by importing your data from a backup device.We strongly recommend you NOT to keep the copies of your data on any online storage cloud, because some viruses can access them via your Internet connection and corrupt them, too. It is best to keep your files stored on some external drive and update it regularly.
Cerber 4.1.6:
ransomware has emerged at the end of November 2016, more or less after a month after the appearance of the 5th edition of the fourth ransomware version. This modification of the virus has no outstanding improvements and functions just like its former versions do. The virus merges RSA and RC4 encryption algorithms to create an uncrackable cipher that renders personal files, documents, databases and other important files useless.
The ransom price is 501$, and criminals command the victim to transmit this sum of money via Bitcoin system within five days; otherwise, they increase the ransom price.
Cerber 5.0.1 This ransomware version was quickly launched to back up the previous infections. It keeps encrypting files with RSA-2048 and AES-256 algorithms. That is why users, entrapped by Cerber, might comply with the hackers' demands to retrieve the files. This version has been spreading as a fake email warning with huge billing sums.
Red Cerber ransomware:
The key changes include the introduction of the demands in the *help_help_help[random characters]*.hta file.The key astonishing feature of the malware lies in the execution process. There are also reports that Cerber has been spotted in the dark web as RaaS (ransomware-as-a-service).
Cerber 6- The latest version, 6th installment, presents improved anti-sandboxing and anti-VM features. It is also using SFX files, i.e. self-extracting files. Besides disguising in spam emails, it also employs exploit kits, trojans and bugs in well-known program utilities to multiple its damage on the virtual community.
Entry sources of Cerber distribution
The most easily distributed method for this virus is via spam emails, so be careful, you do not open any suspicious emails that come from unknown senders. Utmost care needed when opening any attachments that come from unknown sources it could be accompanied by suspicious emails. Often the cyber criminals will display these emails as representatives of governmental or law enforcement institutions, so it is recommended that you always check the legitimacy of such emails if you receive any.
Trojans is also used by Cerber ransomware virus to enter your computer. Due to this it is advised that you should avoid unreliable download websites because you might download an infected file that has this malicious virus carrier attached to it. The newest ransomware distribution drive aims at the vulnerabilities in legitimate software pushes the ransomware into target computers.
Download Free Removal Tool
Cautions against Cerber Ransomware
The most effective way to protect your PC from being infested by this ransomware is to keep an anti-malware software running at all times. Stay away from suspicious emails and email messages! If the external drive is plugged into the computer at the time of the virus infiltration, the files in the storage will most likely be encrypted too. So, make sure that you unplug the external storage device from your computer every time you backup some files.
Tips to Prevent Cerber Ransomware from Infecting Your System:
1. Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs. So, avoid clicking uncertain sites, software offers, pop-ups etc.
2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool
6. Install a powerful ad- blocker for Chrome, Mozilla,and IE.
