Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Updated Cerber Ransomware _README_{RAND}_.hta Remove and Restore Encrypted Files

cerber-ransomware-_readme_-hta-sensorstechforum-attention-encryption-2016The 1st of December marked the beginning of a new Cerber ransomware virus with several interesting changes. The ransomware again wants it’s victims to pay a hefty sum of 499$ to get back the files, which are encrypted via RSA-512 cipher in a RC4 encryption method. Cerber also goes back to it’s roots adding the old sound message, and adds a red ransom note accompanied by a sound message, just like the first version of Cerber did. In case you have been infected by this variant of the ransomware virus, we advise you read the following article to familiarize yourself with the virus, remove it and try to decrypt your files.

Threat Summary

Name Cerber _README_{RAND}_.hta
Type Ransomware Virus
Short Description This Cerber _README_.hta ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
Symptoms Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “_README_{random}.hta” file. Also adds the following audio message after encryption:
Distribution Method Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by Cerber _README_{RAND}_.hta

Download

Malware Removal Tool

Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User Experience Join our forum to Discuss Cerber Ransomware.

Cerber _README_.hta December 2016 Variant – What Is New

Unlike the previous versions of Cerber which are with 3 digit versions (5.0.0, 5.0.1, 4.1.6, etc.), this version has a red wallpaper which it changes after the encryption and does not have a version, very similar to the first Cerber ransomware virus, which is also decryptable. The wallpaper it sets has the same message and leads to the very same Cerber Decryptor web page, asking 499$ but looks like the following:

cerber-sensorstechforum-wallpaper-ransowmare-infection

This virus also uses the very same tactics the modern Cerber version use. It attacks computers via a phishing e-mail which aims to infect via an e-mail attachment, like the following example:

“Topic: Suspicious Bank Account Activity
Hello, we at your bank have been informed of a suspicious financial activity on your bank account. Please review the Document Number 3882-124442 from {date} for more information.
Best Regards
{Bank manager fake name}
{copied phone number}
{copied address of a bank office}”

What is new regarding how Cerber _README_.hta spreads are that it also takes advantage of the Tor network as well as Google to spread a malicious script that infects via a corrupt svchost32.exe fake process. This redirect via the Tor network proxies means that it is with higher difficulty to identify the infection hosts associated with the Cerber _README_.hta crypto virus.

Cerber _README_.hta – Activity After Infection

After infecting the user, not a lot is changed. Cerber ransomware begins to shut down the following system processes if they are active on the compromised computer:

→ bootsect.bak
iconcache.db
ntuser.dat
thumbs.db

But the malware does not stop there. The Cerber _README_.hta version also goes through a lot of troubles to shut down significant database processes to allow it to uninterruptedly encrypt databases:

→ msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
mydesktopqos.exe
agntsvc.exeisqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe

If those processes are active, they will stop the virus from encrypting the databases, and this is the main reason they are shutdown in a force mode.

Regarding the file encryption, the Cerber _README_.hta iteration is focused on attacking even wider database of file extensions. Here are the file types that surely be encrypted on your computer if you have them there and become infected by this iteration:

→ ” .123″, ” .1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.map “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.paq”, “.pas”, “.pat”, “.pbf”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pdf”, “.pef”, “.pem”, “.pfx”, “.php”, “.pif”, “.pl”, “.plc”, “.plus_muhd”, “.pm”, “.pm!”, “.pmi”, “.pmj”, “.pml”, “.pmm”, “.pmo”, “.pmr”, “.pnc”, “.pnd”, “.png”, “.pnx”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prf”, “.private”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.pst”, “.ptx”, “.pub”, “.pwm”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.qcow”, “.qcow2”, “.qed”, “.qtb”, “.r3d”, “.raf”, “.rar”, “.rat”, “.raw”, “.rb”, “.rdb”, “.re4”, “.rm”, “.rtf”, “.rvt”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.safe”, “.sas7bdat”, “.sav”, “.save”, “.say”, “.sch”, “.sd0”, “.sda”, “.sdb”, “.sdf”, “.secret”, “.sh”, “.sldm”, “.sldx”, “.slk”, “.slm”, “.sql”, “.sqlite”, “.sqlite-shm”, “.sqlite-wal”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srb”, “.srf”, “.srs”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.stc”, “.std”, “.sti”, “.stl”, “.stm”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxm”, “.sxw”, “.tar”, “.tax”, “.tbb”, “.tbk”, “.tbn”, “.tex”, “.tga”, “.tgz”, “.thm”, “.tif”, “.tiff”, “.tlg”, “.tlx”, “.txt”, “.uop”, “.uot”, “.upk”, “.usr”, “.vb”, “.vbox”, “.vbs”, “.vdi”, “.vhd”, “.vhdx”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vob”, “.vpd”, “.vsd”, “.wab”, “.wad”, “.wallet”, “.war”, “.wav”, “.wb2”, “.wk1”, “.wks”, “.wma”, “.wmf”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlc”, “.xlk”, “.xlm”, “.xlr”, “.xls”, “.xlsb”, “.xlsm”, “.xlsx”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.xml”, “.xps”, “.xxx”, “.ycbcra” “.yuv”, “.zip”

To encrypt those files the _README_.hta version of Cerber uses 5 blocks of code in the files which are encrypted, not the whole files. Those blocks are encrypted via the RC4 encryption method which generates a unique key the size of 256 bits. In addition to this, the ransomware also uses the cipher RSA (Rivest Shamir Adleman) algorithm with a strength of 512 bit to further increase encryption of the files. This encryption then generates a unique RSA key which may either be stored on the victim’s computer or be sent via POST traffic via port 6482 on the TCP and UDP protocols to IP addresses 15.49.2.0/27, 122.1.13.0/27, 194.165.16.0/23. So far, it has not been established whether or not the sent information is encrypted, but this is likely the case.

Similar to other versions of Cerber, this one may also change the names of the encrypted files and render them useless. The files may appear like the following and completely non-recognizable:

cerber-ransomware-file-encrypted-sensorsrtechforum

After the encryption process is complete, Cerber changes the wallpaper to the new one and in addition to this adds a _README_.hta type of file with 4 random digits, similar to a unique ID for this specific infection. The file may look like the following:

_readme_hta-cerber-ransowmare-december-2016-sensorstechforum-com

Both the wallpaper and the _README_.hta file have a unique web-link which is Tor-based and focused on leading the victim to the genuine Cerber web page, demanding the user to pay approximately 500 dollars and giving a deadline with a countdown timer:

cerber-ransomware-4-1-6-payment-page-sensorstechforum-com

Cerber _README_.hta is also very careful when it comes to encrypting folder. The ransomware goes as far as whitelisting folders which it does not encrypt to keep the operating system in a working state:

→ \\documents and settings\\all users\\documents\\
\\appdata\\roaming\\microsoft\\office\\
\\excel\\
\\microsoft sql server\\
\\onenote\\
\\outlook\\
\\powerpoint\\
\\steam\\
\\the bat!\\
\\thunderbird\\

December 2016 Cerber Ransomware – Conclusion, Removal and File Restoration Tips

In case you happen to become an unfortunate victim of this iteration of Cerber ransomware, recommendations are not to focus on paying the ransom. This is not a guarantee your files will be gotten back to you, and furthermore, you support criminal entities in developing Cerber _README_.hta further as well as infecting more users. Instead, we advise following the below-mentioned instructions to remove the virus. In case you are having trouble in manually removing Cerber from your computer, advices are to do it automatically with an advanced anti-malware program which will take care of this threat for you swiftly and remove all of its objects created in various Windows folders and Windows Registry Edior as well.

After removing Cerber _README_.hta, we urge you to immediately create several copies of all the encrypted files that are important for you. Then, you can use one of those copies to try the traditional Cerber decryption instructions from this web link.

They are not for this version of Cerber and may not work, but you are welcome to attempt them and the alternative file restoration methods from step “2. Restore Files Encrypted by Cerber _README_.hta” below. They are also not 100% to succeed, but with the “Deep Scan” features of one of them, there is a chance you will restore some of your files if you haven’t reformatted your hard drive.

Manually delete Cerber _README_{RAND}_.hta from your computer

Note! Substantial notification about the Cerber _README_{RAND}_.hta threat: Manual removal of Cerber _README_{RAND}_.hta requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber _README_{RAND}_.hta files and objects
2.Find malicious files created by Cerber _README_{RAND}_.hta on your PC

Automatically remove Cerber _README_{RAND}_.hta by downloading an advanced anti-malware program

1. Remove Cerber _README_{RAND}_.hta with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Cerber _README_{RAND}_.hta

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • On 12 december 2016 I got the newest version of cerber on my PC. All my files were encrypted with the extensions 9150 file, I had a hell of a job to clean my PC with antimalware and super antispyware. I consider my files to be lost after some fruitless attempts to decipher them. When I started to remove them by searching for the 9150 string, I found that almost all the keys in the Programdata/ microsoft/ Crypto/ RSA /S-1-5-18 folder and in the Programdata/ microsoft/ Crypto /RSA /Machine folder, contained the 9150 string in a code string that looks like a normal microsoft code, is this coincidence or are these (system) keys somehow manipulated or created by cerber?? I found the same string in appdata roaming always within the same surrounding more complex code

    • Hello buddy!
      Glad you wrote us. We will try and help. Can you please send us the full string so we can do a check up on that? e-mail me at idunn0@abv.bg an encrypted file, the string and if you have a screenshot to see what version you’ve got hit by that’d be great. We receive a lot of e-mails, so make sure the subject is – “RANSOM-C” so that I know it’s you! Thanks in advance.

      • Eduardo Tebes

        Hola yo fui infectado los primeros días de diciembre y mis archivos jpg cambiaron por B6D3, tengo archivos cifrados, tengo el mail con el virus, la nota de rescate, podras ayudarme?

        • Hola. At the moment, there is no decryption. Please save copies of the encrypted files in case a decryptor is released. In the meantime you may want to try the alternative tools from step “2. Restore files encrypted by Cerber…” . But backup the encrypted files first!

        • Hola, yo hablo espanol todo poquitto. Hablo en ingles?

  • soul badguy

    my laptop has been attacked by cerber ransomware extension.9c8b. PLs help me

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.