Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Cerber 4.1.0 Ransomware and Restore Your Files (Updated Cerber v4)

cerber-4-1-0-ransomware-virus-sensorstechforum-fortinet-comIt was not long before the new Cerber ransomware which many seem to call version 4.0 received an overhaul. The new version now uses more optimized code for the modification and encryption of the infected computers and a new wallpaper stating it’s version to 4.1.0 and many other improvements. The virus however still uses the same README.hta file, just like the original version does. In case you have been infected by this updated strain of Cerber, calling itself 4.1.0 we advise you to immediately read this article and learn more about it and how to remove this iteration of the virus and in addition to this see our suggested alternative methods to try and restore your encrypted files.

Threat Summary

Name Cerber 4.1.0
Type Ransomware Virus
Short Description This Cerber ransomware variant encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
Symptoms Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “README.hta” file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by Cerber 4.1.0

Download

Malware Removal Tool

Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User Experience Join our forum to Discuss Crysis Ransomware.

Technical Insight of The Cerber 4.1.0 Virus

The previous version of Cerber 4.1.1, named 4.1.0 does not have many differences when compared to the newer one. It is still as massively widespread as most Cerber iterations, like .cerber, .cerber2 and .cerber3 were and it is still using a random file extension like all of the Cerber 4.0 version. To better help you understand how the infection process by Cerber 4.1.0 works we have decided to explain it methodologically.

Stage 1: Distribution and Infection

In order to be spread it, the creators of Cerber ransomware have used a very common technique – exploit kit. And not just any exploit kit too – they have undertaken massive campaigns to spread their ransomware virus via a very advanced and notorious exploit kit – Rig EK. This type of collaboration also may involve the same people who are responsible for spreading Dridex malware and the 4.1.1 version’s malicious files. Whatever the case may be, you can get infected with Cerber most likely by clicking on a fake and malicious web link (URL). But how to get one to click on such web link.

Malware researchers have discovered several methods that may be used by cyber-criminals that could perform this and users should beware of those in the recent months to come:

  • Malicious URLs posted and concealed behind Facebook posts that only appear to be legitimate. Some Facebook viruses may take over whole profiles or create duplicate ones to make the posts seem more legitimate.
  • Web links posted via referral spam as comments on online forums and websites.
  • URLs that may be posted if your computer has been infected by other malware or a PUP (Potentially Unwanted Program).
  • Malicious web links that may have been displayed as fake search results by suspicious search engines.
  • URLs concealed behind fake social media buttons or others sent out as e-mail spam.

There are many other methods to cause an infection via a URL, but these ones are the primary ones which researchers warn us about. As soon as the future victim’s computer has connected to the malicious URL, a so-called drive-by-download is administered, meaning that RIG Exploit Kit downloads and opens automatically after which causes the infection.

After infection has been caused, the RIG Exploit Kit automatically connects to the web, more specifically to Cerber’s hosting web servers to download the payload of the virus. And these severs are not one or two, but in the tens, even hundreds, due to the fact that the ransomware uses advanced spamming methods.

After the exploit kit downloads the payload of Cerber 4.1.0 it may situate it in the commonly used Windows folders and from there start injecting malicious scripts into legitimate Windows processes to perform malicioius activities. The malicious payload may have different file formats as well as different names, for example:

commonly used file names and folders

Stage 2: Post Infection Activity of Cerber 4.1.1

After infection, Cerber may modify the Registry Editor of Windows where it has the chance of creating custom registry entries that may change the wallpaper, run the malicious executable responsible for the encryption of the files and perform other activities. The targeted registry entries by this iteration of Cerber most likely are:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

After having modified all of the registry entries, the virus may begin the encryption procedure. The encryption procedure may not be as sophisticated as it may seem, but it generally has support for the widely used file types, like:

  • Videos.
  • Audio files.
  • Image files.
  • Database files.
  • Microsoft Word sheets.
  • Microsoft Excel documents.
  • Power Point presentations.
  • Files associated with Adobe Photoshop.
  • Database files associated with different programs.
  • Virtual drives.
  • E-mail files (Microsoft Outlook).

After the files are encrypted they assume the typical for v4 Cerber variants random file extension with A-Z 0-9 symbols as well as changed file names:

cerber-ransomware-file-encrypted-sensorsrtechforum

After this has been done, Cerber ransomware changes the wallpaper with it’s distinctive 4.1.0 notification.

cerber-pseudo-ransom-note-wallpaper-sensorstechforum

The note prompts users to open the Cerber 4.1.0 payment page, which includes more instructions on how to pay the ransom:

cerber-payment-page-sensorstechforum

Remove Cerber 4.1.0 Ransomware and Restore Randomly Encrypted Files

The bottom line is that Cerber is continuing to evolve and rather fast almost as if it is competing with the other big “player” in the ransomware world – the Locky virus. Anyone who has become an unfortunate victim and sees the above image as a wallpaper is advised to immediately remove the virus and try the alternative methods in step “2. Restore files encrypted by Cerber 4.1.0” below.

Manually delete Cerber 4.1.0 from your computer

Note! Substantial notification about the Cerber 4.1.0 threat: Manual removal of Cerber 4.1.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber 4.1.0 files and objects
2.Find malicious files created by Cerber 4.1.0 on your PC

Automatically remove Cerber 4.1.0 by downloading an advanced anti-malware program

1. Remove Cerber 4.1.0 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Cerber 4.1.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • crapcbm

    removing is not the problem
    but as we can see here, you all only copy the removal, but have really no clue how te recrypt the files
    so poor … hanging brain?

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.