Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove Red CERBER Ransomware’s 2017 Update

This article aims to look into CERBER 2017 ransomware and show you how to remove it from your computer and try to get encrypted files back.

The notorious CERBER ransomware has just received it’s first major update since 2017 and is now using “_HELP_DECRYPT_{RANDOM}.hta” in addition to the older “_{RANDOM}_README_.hta” file. Even though the new version does not show it, the update was incremental and the virus has changed the way it spreads and some elements in post-infection activity as well. Keep reading in order to learn more about what the new variant of the virus has in stock for future victims of this year.

Update March 2017 – Red CERBER ransomware now in a new variant. Uses the _READ_THIS_FILE_{random}.hta ,.jpg and .txt files. Read more about the latest CERBER virus here: Red CERBER 2017 Virus (_READ_THIS_FILE_ Update) – Restore Files

Threat Summary

Type Ransomware Virus
Short Description This Cerber ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
Symptoms Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a _{random}_README_.hta,_HELP_DECRYPT_{RANDOM}.hta or _HELP_HELP_HELP_{RANDOM}.hta files. Also adds the following audio message after encryption:
Distribution Method Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by CERBER


Malware Removal Tool

Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User Experience Join our forum to Discuss Cerber Ransomware.

2017 CERBER Ransomware’s Distribution

For the new ransomware variant of CERBER to be widespread, the virus uses a powerful combination of the:

  • Nemucod downloader.
  • RIG-V exploit kit.

To successfully infect users with the payload, the distribution strategy to spread the malicious file has also changed. Now, CERBER has been detected in a .js dropper file which causes infection by inserting malicious javascript file concealed in what appears to be a fake document with a random name, for example:

  • DOC442392930-PDF_23ruf39.js

The file may be in a .zip or a .rar archive and accompanied to it may be various e-mail messages that aim to convince the unsuspecting user to open the file. One of the examples spotted in association with CERBER ransomware is the following malicious e-mail sent to a victim:

After the user opens the malicious attachment, CERBER gets down to business and begins to download one of the following malicious files detected at infosec:

  • 1.exe with 3e4798c2b808b7dbad7f80b397dc97df
  • 124.exe with 9c73dfc02bf01fc1da8efc349d23646b
  • read.php?f=0.dat with d958463bf73128114b59c3f9a65bfc19
  • 4DUi5.exe with 794a556c1a98f70673a5ba3ed791382f
  • user.php?f=1.dat with 8abc023a9ebb7188881fabb747b4f68d

After those files have been downloaded onto the user’s computer, the ransomware virus begins to prepare to encrypt files. To do this, the virus performs series of activities:

  • Drops files that resemble clean files.
  • Reads the trust settings on Windows.
  • Scans for names and processes and creates new processes.
  • Drops multiple files (one of each – .bmp, .js, .jpg, .hta, .svg, .dll, .tmp files)
  • Modifies wscript.exe to modify files in %System32% and %Microsoft Directories%. Amongst the modified files are – rsaenh.dll, WScript.exe, WScript.exe.mui, sortdefault.nls, wshom.ocx, stdole2.tlb, KERNELBASE.dll.mui, msxml3.dll

Interestingly enough, CERBER ransomware is updated so that it won’t delete the shadow volume copies of the infected computer, so in case you have set up file history, you can use the shadow volume copy method from the instructions below to restore your files.

After encryption of the files, the situation is rather the same, like with the previously updated Red CERBER Ransomware variant.

The virus also drops the very same ransom note it usually uses:

It also drops it’s original .hta file which has the same message, no changes there.

2017 CERBER Ransomware – The Bottom Line and How to Remove

In conclusion, CERBER has become a little less dangerous, since it no longer deletes shadow volume copies, but the virus has been configured to infect even more users, by using a harder to detect Nemucod downloader and the latest RIG-V exploit kit. On top of that CERBER ransomware still uses the same strong encryption combination. However, not paying the ransom and removing the virus is still advisable.

If you want to remove CERBER Ransomware completely, but you do not like paying the ransom to cyber-criminals, please see the removal tutorial below. It is designed to help you scan for and delete the virus fully, plus it offers several file restoration alternatives that might save your files concerning this virus.

Manually delete CERBER from your computer

Note! Substantial notification about the CERBER threat: Manual removal of CERBER requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CERBER files and objects
2.Find malicious files created by CERBER on your PC

Automatically remove CERBER by downloading an advanced anti-malware program

1. Remove CERBER with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by CERBER

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • vikas jain


    How can I recover my cerber 3 infected files. Need guidance.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.